diff --git a/backend/src/dispute-flow/dispute-flow.routes.ts b/backend/src/dispute-flow/dispute-flow.routes.ts
index 0eeaf36..3b557c2 100644
--- a/backend/src/dispute-flow/dispute-flow.routes.ts
+++ b/backend/src/dispute-flow/dispute-flow.routes.ts
@@ -1,10 +1,11 @@
 import express from 'express';
 import { DisputeFlowService } from './dispute-flow.service';
+import { requireRole } from '../middleware/requireRole';
 
 const router = express.Router();
 
-// Create a new dispute
-router.post('/disputes', async (req, res) => {
+// Create a new dispute - requires 'user' role
+router.post('/disputes', requireRole(['user']), async (req, res) => {
   try {
     const dispute = await DisputeFlowService.createDispute(req.body);
     res.status(201).json(dispute);
@@ -14,8 +15,8 @@ router.post('/disputes', async (req, res) => {
   }
 });
 
-// Add evidence to a dispute
-router.post('/disputes/:id/evidence', async (req, res) => {
+// Add evidence to a dispute - requires 'user' role
+router.post('/disputes/:id/evidence', requireRole(['user']), async (req, res) => {
   try {
     const { id } = req.params;
     const { actorUserId, ...evidenceData } = req.body;
@@ -28,8 +29,8 @@ router.post('/disputes/:id/evidence', async (req, res) => {
   }
 });
 
-// Update dispute status
-router.post('/disputes/:id/status', async (req, res) => {
+// Update dispute status - requires 'moderator' or 'admin' role
+router.post('/disputes/:id/status', requireRole(['moderator', 'admin']), async (req, res) => {
   try {
     const { id } = req.params;
     const { actorUserId, newStatus } = req.body;
@@ -42,8 +43,8 @@ router.post('/disputes/:id/status', async (req, res) => {
   }
 });
 
-// Resolve a dispute
-router.post('/disputes/:id/resolve', async (req, res) => {
+// Resolve a dispute - requires 'moderator' or 'admin' role
+router.post('/disputes/:id/resolve', requireRole(['moderator', 'admin']), async (req, res) => {
   try {
     const { id } = req.params;
     const { actorUserId, ...decisionData } = req.body;
@@ -56,8 +57,8 @@ router.post('/disputes/:id/resolve', async (req, res) => {
   }
 });
 
-// Get dispute details
-router.get('/disputes/:id', async (req, res) => {
+// Get dispute details - requires 'user', 'moderator', or 'admin' role
+router.get('/disputes/:id', requireRole(['user', 'moderator', 'admin']), async (req, res) => {
   try {
     const { id } = req.params;
     const dispute = await DisputeFlowService.getDispute(parseInt(id));
@@ -73,8 +74,8 @@ router.get('/disputes/:id', async (req, res) => {
   }
 });
 
-// Get dispute events
-router.get('/disputes/:id/events', async (req, res) => {
+// Get dispute events - requires 'user', 'moderator', or 'admin' role
+router.get('/disputes/:id/events', requireRole(['user', 'moderator', 'admin']), async (req, res) => {
   try {
     const { id } = req.params;
     const events = await DisputeFlowService.getDisputeEvents(parseInt(id));