apply security audit

backend/src/routes/member.routes.ts

@@ -110,14 +110,29 @@ router.post(
   memberController.createMemberProfile.bind(memberController)
 );
 
+/**
+ * Inline middleware for PATCH /:userId.
+ * Enforces that the caller is either the profile owner OR holds members:write.
+ * This is the route-level IDOR guard; the controller still applies the
+ * correct Zod schema (full vs. limited fields) based on role.
+ */
+const requireOwnerOrWrite = (req: Request, res: Response, next: NextFunction): void => {
+  const isOwner = req.user?.id === req.params.userId;
+  if (isOwner) {
+    next();
+    return;
+  }
+  // Not the owner — must have members:write permission
+  requirePermission('members:write')(req, res, next);
+};
+
 /**
  * PATCH /:userId — open to both privileged users AND the profile owner.
- * The controller itself enforces the correct Zod schema (full vs. limited)
- * based on the caller's role.
+ * Route-level guard rejects all other callers before the controller runs.
  */
 router.patch(
   '/:userId',
-  // No requirePermission here — controller handles own-profile vs. write-role logic
+  requireOwnerOrWrite,
   memberController.updateMember.bind(memberController)
 );