Fix product visibility and ownership rules for /api/v1/products endpoint

[abdullahalsazib]

Problem

The current implementation of GET /api/v1/products returns all products,
including those with status draft, archive, and private.
This means unauthenticated or normal users can see products that should not be publicly available.
Also, product ownership rules (vendor can only manage their own products) are not enforced.

Expected Behavior

• Public (unauthenticated) users → should only see products with status = "published"
• Authenticated normal users → should also only see "published"
• Vendors → should be able to view, update, and delete only their own products
• Admin / SuperAdmin → should be able to view and manage all products (draft, archive, private, published)

Steps to Reproduce

1. Create a product with status = "draft"
2. Call GET /api/v1/products without authentication
3. The draft product is still visible (unexpected behavior)
4. Vendor A can currently access Vendor B's products (ownership not restricted)

Suggested Solution

Update product query and authorization logic:

• Check authentication and role
• If not admin/superadmin → apply filter status = "published"
• If admin/superadmin → return all products without filtering
• Vendors → can access all statuses but only for their own products (match vendor_id)
• Ensure proper authorization for update/delete (vendor can only manage own products)