fix: make payment field hidden for other vendor in api response (#642)

includes/api/class-store-controller.php

@@ -217,8 +217,14 @@ public function delete_store( $request ) {
      *
      * @return bool
      */
-    public function update_store_permissions_check() {
-        return current_user_can( 'dokandar' );
+    public function update_store_permissions_check( $request ) {
+        if ( current_user_can( 'manage_woocommerce' ) ) {
+            return true;
+        }
+
+        if ( current_user_can( 'dokandar' ) ) {
+            return dokan_get_current_user_id() === absint( $request->get_param( 'id' ) );
+        }
     }
 
     /**

includes/class-api-manager.php

@@ -45,6 +45,7 @@ public function __construct() {
 
         // Send email to admin on adding a new product
         add_action( 'dokan_rest_insert_product_object', array( $this, 'on_dokan_rest_insert_product' ), 10, 3 );
+        add_filter( 'dokan_vendor_to_array', [ $this, 'filter_payment_response' ] );
     }
 
     /**
@@ -149,4 +150,27 @@ public function on_dokan_rest_insert_product( $object, $request, $creating ) {
 
         do_action( 'dokan_new_product_added', $object->get_id(), $request );
     }
+
+    /**
+     * Make payment field hidden in api response for other vendor
+     *
+     * @param array $data
+     *
+     * @since DOKAN_LITE_SINCE
+     *
+     * @return array
+     */
+    public function filter_payment_response( $data ) {
+        if ( current_user_can( 'manage_woocommerce' ) ) {
+            return $data;
+        }
+
+        $vendor_id = ! empty( $data['id'] ) ? absint( $data['id'] ) : 0;
+
+        if ( $vendor_id !== dokan_get_current_user_id() ) {
+            $data['payment'] = '******';
+        }
+
+        return $data;
+    }
 }