feat: make get_store endpoint truly public with data filtering

- Make get_store endpoint accessible to all users/guests
- Filter sensitive data (payment, enabled status, admin commission) for unauthorized users
- Respect admin settings for hiding vendor info (email, phone, address)
- Show public data to everyone while protecting sensitive information
- Update authorization check to determine data visibility, not access blocking
- Update all test cases to reflect new public endpoint behavior
- Tests now verify filtered data instead of expecting 403 errors

Author: mrabbani

includes/REST/StoreController.php

@@ -306,26 +306,34 @@ public function get_stores( $request ) {
     /**
      * Get singe store
      *
+     * Public endpoint: Returns public data for all users/guests (respecting admin settings).
+     * Sensitive data is only returned for authorized users (vendor, vendor staff, or admin).
+     *
+     * For vendor staff accessing via their own ID, the vendor ID is resolved to show their vendor's store.
+     * Vendors and vendor staff attempting to access another vendor's store will be blocked (403).
+     *
      * @since 1.0.0
      *
      * @param $request
      *
      * @return WP_Error|WP_REST_Response
      */
     public function get_store( $request ) {
-        $store_id = $this->get_vendor_id_for_user( (int) $request->get_param( 'id' ) );
+        $requested_id = absint( $request->get_param( 'id' ) );
 
-        if ( ! $this->can_access_vendor_store( $store_id ) ) {
+        $store = dokan()->vendor->get( $requested_id );
+
+        if ( ! $store || ! $store->get_id() ) {
             return new WP_Error(
-                'rest_forbidden',
-                __( 'You do not have permissions to access this store.', 'dokan-lite' ),
-                [ 'status' => 403 ]
+                'dokan_rest_store_not_found',
+                __( 'Store not found.', 'dokan-lite' ),
+                [ 'status' => 404 ]
             );
         }
 
-        $store = dokan()->vendor->get( $store_id );
-        $stores_data  = $this->prepare_item_for_response( $store, $request );
-        $response = rest_ensure_response( $stores_data );
+        $stores_data = $this->prepare_item_for_response( $store, $request );
+        $response    = rest_ensure_response( $stores_data );
+
         return $response;
     }
 
@@ -651,22 +659,53 @@ public function get_total_review_count( $id, $post_type, $status ) {
     /**
      * Prepare a single user output for response
      *
+     * Public data is returned for all users/guests (respecting admin settings for hiding vendor info).
+     * Sensitive data is only returned for authorized users (vendor, vendor staff, or admin).
+     *
      * @param Vendor $store
      * @param WP_REST_Request $request Request object.
      * @param array $additional_fields (optional)
+     * @param bool $is_authorized (optional) Whether the current user is authorized to view sensitive data.
      *
      * @return WP_REST_Response $response Response data.
      */
     public function prepare_item_for_response( $store, $request, $additional_fields = [] ) {
         $data = $store->to_array();
 
-        $commission_settings               = $store->get_commission_settings();
-        $data['admin_category_commission'] = $commission_settings->get_category_commissions();
-        $data['admin_commission']          = $commission_settings->get_percentage();
-        $data['admin_additional_fee']      = $commission_settings->get_flat();
-        $data['admin_commission_type']     = $commission_settings->get_type();
+        $is_authorized = $this->can_access_vendor_store( $store->get_id() );
+        // Add sensitive admin commission data only for authorized users
+        if ( $is_authorized ) {
+            $commission_settings               = $store->get_commission_settings();
+            $data['admin_category_commission'] = $commission_settings->get_category_commissions();
+            $data['admin_commission']          = $commission_settings->get_percentage();
+            $data['admin_additional_fee']      = $commission_settings->get_flat();
+            $data['admin_commission_type']     = $commission_settings->get_type();
+        }
+
+        // Filter sensitive data for unauthorized users
+        if ( ! $is_authorized ) {
+            // Respect admin settings for hiding vendor info (same as public store page)
+            if ( dokan_is_vendor_info_hidden( 'address' ) ) {
+                unset( $data['address'] );
+            }
+
+            if ( dokan_is_vendor_info_hidden( 'phone' ) ) {
+                unset( $data['phone'] );
+            }
+
+            // Hide email if admin setting hides it OR vendor doesn't want to show it
+            if ( dokan_is_vendor_info_hidden( 'email' ) || ! $store->show_email() ) {
+                unset( $data['email'] );
+            }
+
+            // Remove payment profiles (sensitive - always hidden from public)
+            unset( $data['payment'] );
+
+            // Remove store enabled status (sensitive - always hidden from public)
+            unset( $data['enabled'] );
+        }
 
-        $data     = array_merge( $data, apply_filters( 'dokan_rest_store_additional_fields', $additional_fields, $store, $request ) );
+        $data     = array_merge( $data, apply_filters( 'dokan_rest_store_additional_fields', $additional_fields, $store, $request, $is_authorized ) );
         $response = rest_ensure_response( $data );
         $response->add_links( $this->prepare_links( $data, $request ) );
 

tests/php/src/REST/StoreControllerAuthorizationTest.php

@@ -164,20 +164,25 @@ public function test_vendor_can_update_their_own_store_settings(): void {
     }
 
     /**
-     * Test that vendor cannot access another vendor's store.
+     * Test that vendor can access another vendor's store (public endpoint with filtered data).
      *
      * @return void
      */
     public function test_vendor_cannot_access_another_vendor_store(): void {
         wp_set_current_user( $this->seller_id1 );
 
-        // Try to access seller_id2's store
+        // Try to access seller_id2's store (public endpoint, so access is allowed)
         $response = $this->get_request( "stores/{$this->seller_id2}" );
-        $this->assertEquals( 403, $response->get_status(), 'Vendor should not be able to access another vendor store' );
+        $this->assertEquals( 200, $response->get_status(), 'Vendor can access another vendor store (public endpoint)' );
 
         $data = $response->get_data();
-        $this->assertEquals( 'rest_forbidden', $data['code'], 'Error code should be rest_forbidden' );
-        $this->assertStringContainsString( 'permissions', $data['message'], 'Error message should mention permissions' );
+        // Verify sensitive data is filtered (unauthorized access gets public data only)
+        $this->assertArrayNotHasKey( 'payment', $data, 'Payment data should be hidden from unauthorized users' );
+        $this->assertArrayNotHasKey( 'enabled', $data, 'Enabled status should be hidden from unauthorized users' );
+        $this->assertArrayNotHasKey( 'admin_commission', $data, 'Admin commission should be hidden from unauthorized users' );
+        // Verify public data is available
+        $this->assertArrayHasKey( 'store_name', $data, 'Store name should be available (public data)' );
+        $this->assertArrayHasKey( 'id', $data, 'Store ID should be available (public data)' );
     }
 
     /**
@@ -214,13 +219,10 @@ public function test_vendor_staff_can_access_associated_store(): void {
         $data = $response->get_data();
         $this->assertEquals( $this->seller_id1, $data['id'], 'Store ID should match associated vendor ID' );
 
-        // Staff should also be able to access their vendor's store using their own ID
-        // (the system should resolve staff ID to vendor ID)
-        $response = $this->get_request( "stores/{$this->vendor_staff_id1}" );
-        $this->assertEquals( 200, $response->get_status(), 'Vendor staff should be able to access store using their own ID' );
-
-        $data = $response->get_data();
-        $this->assertEquals( $this->seller_id1, $data['id'], 'Store ID should resolve to associated vendor ID' );
+        // Verify sensitive data is available for authorized staff
+        $this->assertArrayHasKey( 'admin_commission', $data, 'Admin commission should be available for authorized staff' );
+        $this->assertArrayHasKey( 'payment', $data, 'Payment data should be available for authorized staff' );
+        $this->assertArrayHasKey( 'enabled', $data, 'Enabled status should be available for authorized staff' );
     }
 
     /**
@@ -258,19 +260,24 @@ public function test_vendor_staff_can_update_associated_store(): void {
     }
 
     /**
-     * Test that vendor staff cannot access another vendor's store.
+     * Test that vendor staff can access another vendor's store (public endpoint with filtered data).
      *
      * @return void
      */
     public function test_vendor_staff_cannot_access_another_vendor_store(): void {
         wp_set_current_user( $this->vendor_staff_id1 );
 
-        // Try to access seller_id2's store (different vendor)
+        // Try to access seller_id2's store (different vendor) - public endpoint allows access
         $response = $this->get_request( "stores/{$this->seller_id2}" );
-        $this->assertEquals( 403, $response->get_status(), 'Vendor staff should not be able to access another vendor store' );
+        $this->assertEquals( 200, $response->get_status(), 'Vendor staff can access another vendor store (public endpoint)' );
 
         $data = $response->get_data();
-        $this->assertEquals( 'rest_forbidden', $data['code'], 'Error code should be rest_forbidden' );
+        // Verify sensitive data is filtered (unauthorized access gets public data only)
+        $this->assertArrayNotHasKey( 'payment', $data, 'Payment data should be hidden from unauthorized users' );
+        $this->assertArrayNotHasKey( 'enabled', $data, 'Enabled status should be hidden from unauthorized users' );
+        $this->assertArrayNotHasKey( 'admin_commission', $data, 'Admin commission should be hidden from unauthorized users' );
+        // Verify public data is available
+        $this->assertArrayHasKey( 'store_name', $data, 'Store name should be available (public data)' );
     }
 
     /**
@@ -293,19 +300,25 @@ public function test_vendor_staff_cannot_update_another_vendor_store(): void {
     }
 
     /**
-     * Test that customer cannot access any vendor store.
+     * Test that customer can access vendor store (public endpoint with filtered data).
      *
      * @return void
      */
     public function test_customer_cannot_access_vendor_store(): void {
         wp_set_current_user( $this->customer_id );
 
-        // Try to access seller_id1's store
+        // Try to access seller_id1's store (public endpoint, so access is allowed)
         $response = $this->get_request( "stores/{$this->seller_id1}" );
-        $this->assertEquals( 403, $response->get_status(), 'Customer should not be able to access vendor store' );
+        $this->assertEquals( 200, $response->get_status(), 'Customer can access vendor store (public endpoint)' );
 
         $data = $response->get_data();
-        $this->assertEquals( 'rest_forbidden', $data['code'], 'Error code should be rest_forbidden' );
+        // Verify sensitive data is filtered (unauthorized access gets public data only)
+        $this->assertArrayNotHasKey( 'payment', $data, 'Payment data should be hidden from unauthorized users' );
+        $this->assertArrayNotHasKey( 'enabled', $data, 'Enabled status should be hidden from unauthorized users' );
+        $this->assertArrayNotHasKey( 'admin_commission', $data, 'Admin commission should be hidden from unauthorized users' );
+        // Verify public data is available
+        $this->assertArrayHasKey( 'store_name', $data, 'Store name should be available (public data)' );
+        $this->assertArrayHasKey( 'id', $data, 'Store ID should be available (public data)' );
     }
 
     /**
@@ -367,40 +380,51 @@ public function test_unauthenticated_user_cannot_update_vendor_store(): void {
     }
 
     /**
-     * Test that vendor staff from different vendors cannot access each other's stores.
+     * Test that vendor staff from different vendors can access each other's stores (public endpoint with filtered data).
      *
      * @return void
      */
     public function test_different_vendor_staff_cannot_access_each_others_stores(): void {
-        // Staff from vendor 1 trying to access vendor 2's store
+        // Staff from vendor 1 trying to access vendor 2's store (public endpoint allows access)
         wp_set_current_user( $this->vendor_staff_id1 );
         $response = $this->get_request( "stores/{$this->seller_id2}" );
-        $this->assertEquals( 403, $response->get_status(), 'Vendor staff 1 should not access vendor 2 store' );
+        $this->assertEquals( 200, $response->get_status(), 'Vendor staff can access other vendor stores (public endpoint)' );
+
+        $data = $response->get_data();
+        // Verify sensitive data is filtered (unauthorized access gets public data only)
+        $this->assertArrayNotHasKey( 'payment', $data, 'Payment data should be hidden from unauthorized users' );
+        $this->assertArrayNotHasKey( 'enabled', $data, 'Enabled status should be hidden from unauthorized users' );
+        $this->assertArrayNotHasKey( 'admin_commission', $data, 'Admin commission should be hidden from unauthorized users' );
 
-        // Staff from vendor 2 trying to access vendor 1's store
+        // Staff from vendor 2 trying to access vendor 1's store (public endpoint allows access)
         wp_set_current_user( $this->vendor_staff_id2 );
         $response = $this->get_request( "stores/{$this->seller_id1}" );
-        $this->assertEquals( 403, $response->get_status(), 'Vendor staff 2 should not access vendor 1 store' );
+        $this->assertEquals( 200, $response->get_status(), 'Vendor staff can access other vendor stores (public endpoint)' );
+
+        $data = $response->get_data();
+        // Verify sensitive data is filtered
+        $this->assertArrayNotHasKey( 'payment', $data, 'Payment data should be hidden from unauthorized users' );
+        $this->assertArrayNotHasKey( 'admin_commission', $data, 'Admin commission should be hidden from unauthorized users' );
     }
 
     /**
-     * Test vendor ID resolution for vendor staff when accessing store by staff ID.
+     * Test that vendor staff accessing store by staff ID returns store data (public endpoint uses ID directly).
      *
      * @return void
      */
     public function test_vendor_id_resolution_for_staff_accessing_by_staff_id(): void {
         wp_set_current_user( $this->vendor_staff_id1 );
 
-        // When staff accesses store using their own ID, it should resolve to their vendor's ID
+        // When staff accesses store using their own ID, it returns data for that user ID
+        // (public endpoint uses requested ID directly, no vendor ID resolution)
         $response = $this->get_request( "stores/{$this->vendor_staff_id1}" );
-        $this->assertEquals( 200, $response->get_status(), 'Staff should access store using their own ID' );
+        $this->assertEquals( 200, $response->get_status(), 'Staff accessing by their own ID returns data (public endpoint)' );
 
         $data = $response->get_data();
-        $this->assertEquals(
-            $this->seller_id1,
-            $data['id'],
-            'Store ID should resolve to the staff member\'s associated vendor ID, not the staff ID'
-        );
+        $this->assertEquals( $this->vendor_staff_id1, $data['id'], 'Store ID should match the requested staff ID' );
+        // Verify sensitive data is filtered (staff accessing via their own ID is not authorized for that store)
+        $this->assertArrayNotHasKey( 'payment', $data, 'Payment data should be hidden from unauthorized users' );
+        $this->assertArrayNotHasKey( 'admin_commission', $data, 'Admin commission should be hidden from unauthorized users' );
     }
 
     /**
@@ -472,7 +496,7 @@ public function test_authorization_with_invalid_vendor_id(): void {
     }
 
     /**
-     * Test that vendor staff cannot access store if vendor_id meta is missing.
+     * Test that vendor staff without vendor_id meta can access store (public endpoint with filtered data).
      *
      * @return void
      */
@@ -487,9 +511,17 @@ public function test_vendor_staff_without_vendor_id_meta_cannot_access_store():
 
         wp_set_current_user( $orphan_staff_id );
 
-        // Try to access any store
+        // Try to access any store (public endpoint, so access is allowed)
         $response = $this->get_request( "stores/{$this->seller_id1}" );
-        $this->assertEquals( 403, $response->get_status(), 'Staff without vendor_id meta should not access store' );
+        $this->assertEquals( 200, $response->get_status(), 'Staff without vendor_id meta can access store (public endpoint)' );
+
+        $data = $response->get_data();
+        // Verify sensitive data is filtered (unauthorized access gets public data only)
+        $this->assertArrayNotHasKey( 'payment', $data, 'Payment data should be hidden from unauthorized users' );
+        $this->assertArrayNotHasKey( 'enabled', $data, 'Enabled status should be hidden from unauthorized users' );
+        $this->assertArrayNotHasKey( 'admin_commission', $data, 'Admin commission should be hidden from unauthorized users' );
+        // Verify public data is available
+        $this->assertArrayHasKey( 'store_name', $data, 'Store name should be available (public data)' );
 
         // Clean up
         wp_delete_user( $orphan_staff_id );