Files
nick-doc/Issues/ISSUE-093-backend-addevidence-no-participant-ownership-check-on-disputes.md
Siavash Sameni dceaf82934 audit: 2026-05-30 full-codebase audit — report, issues, docs, runbooks
Full-codebase-audit 2026-05-30 outputs:
- Audit report: 09 - Audits/Full Codebase Audit - 2026-05-30.md
- 81 issue files ISSUE-055..135 (decisions + 1 skipped no-brainer).
- Scanner docs from scratch (was zero): architecture, data model, API ref, payment
  flow, operations runbook + repo README.
- Doc-sync updates across API reference, data models, flows, design system.
- Secret Rotation Runbook (08 - Operations) for the exposed credentials.
- Reusable workflow guide (07 - Development) + .claude/workflows/full-codebase-audit.js.

Issues remain status:open intentionally — the code fixes are uncommitted-then-committed
working-tree changes per repo and aren't "resolved" until merged/deployed.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-05-30 18:48:04 +04:00

1.2 KiB

issue, title, severity, domain, labels, status, created, source
issue title severity domain labels status created source
093 Backend: addEvidence has no participant ownership check on disputes medium Dispute
security
backend
authorization
open 2026-05-30 Full Codebase Audit 2026-05-30

Backend: addEvidence has no participant ownership check on disputes

Severity: medium Domain: Dispute Labels: security, backend, authorization

Description

src/routes/disputeRoutes.ts:32 registers the addEvidence route with only authenticateToken. Any authenticated user can submit evidence to any dispute, not just the buyer/seller/admin who are participants.

Options

  1. Verify req.user.id is buyer or seller of the dispute before accepting evidence.
  2. Allow admins plus participants only.
  3. Add participant check in controller and reject otherwise.

Recommendation

Add a participant (buyer/seller/admin) check in addEvidence before persisting. This is an authorization-logic change.

Affected Files

  • backend/src/routes/disputeRoutes.ts:32
  • backend/src/controllers/disputeController.tsaddEvidence handler

References