Both dispute privilege-escalation issues fixed in backend disputeRoutes.ts. Index updated: 51 open (12 critical), 2 resolved. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
1.3 KiB
1.3 KiB
issue, title, severity, domain, labels, status, resolved, fix, created, source
| issue | title | severity | domain | labels | status | resolved | fix | created | source | ||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 002 | POST /api/disputes/:id/assign has no role guard — any user can self-assign as admin | critical | Dispute |
|
resolved | 2026-05-29 | Added authorizeRoles('admin') middleware to POST /:id/assign in backend/src/routes/disputeRoutes.ts | 2026-05-29 | Doc vs Code Audit 2026-05-29 |
🔴 POST /api/disputes/:id/assign has no role guard — any user can self-assign as admin
Severity: critical Domain: Dispute Labels: security, bug, backend, privilege-escalation
Description
The POST /api/disputes/:id/assign endpoint registers only authenticateToken. Any authenticated user can assign themselves or anyone else as the admin handler for a dispute. The admin check is absent at both the middleware and controller level.
Current Behavior
Any authenticated buyer or seller can call POST /api/disputes/:id/assign and become the assigned admin for the dispute.
Expected Behavior
Return 403 for non-admin tokens. Apply authorizeRoles('admin') at the route level.
Affected Files
backend/src/routes/disputeRoutes.tsbackend/src/controllers/disputeController.ts