---
task: Fix public marketplace /list-products-market showing 0 products for unauthenticated users — POST /Market/Products/List has auth middleware but the page is public
cycles: 3
context: true
private: false
started: 2026-05-16T16:02:42Z
finished: 2026-05-16T16:03:15Z
---

## files
- routes/web.php [line ~412] — `POST /Market/Products/List` has `'middleware' => 'auth'` but the page is designed to be public
- app/Http/Controllers/Market/ProductController.php [lines 561-607] — `listProductsData()` already has guest-safe fallback logic but it's never reached due to auth middleware
- app/Http/Controllers/Support/VueRouteMap.php [line ~58] — `/list-products-market` has `loginRequired: false` (correctly public)

## steps
1. In `routes/web.php`, on the `POST /Market/Products/List` route, remove `'middleware' => 'auth'` (or change it to optional auth that attaches user if present but doesn't block guests).
   - The controller already handles the guest case: `else { $products = Product::where('is_active', true)->get(); }` on line ~605.
   - With auth middleware removed, `Auth::user()` returns null for guests → `$UltOpsSupOps = false` → falls through to the `else` branch showing all active products. This is the correct behaviour.
2. No changes needed to `ProductController::listProductsData()` — it already handles null user correctly.
3. Verify: after removing auth middleware, visiting `/list-products-market` without login shows the full active product catalog.

## context
Current state (confirmed by Playwright):
- `/list-products-market` loads (loginRequired: false ✓)
- Page calls `POST /Market/Products/List` → 401 Unauthenticated (auth middleware blocks guest)
- Page shows "0 Products — No products found" for guests even though products exist

Controller fallback code (line ~602-607) already written for guests:
```php
if ($targetStore) {
    $products = $targetStore->products()->where('prd_str.is_active', true)->get();
} elseif ($UltOpsSupOps) {
    $products = Product::select([...])->get();
} else {
    // THIS runs for guests (no store, no big-3 role) — but currently unreachable due to auth middleware
    $products = Product::where('is_active', true)->get();
}
```

Route fix (web.php):
```php
// BEFORE (blocks guests):
Route::post('/Market/Products/List', [
    'as'         => 'products.list.data',
    'uses'       => ProductController::class . '@listProductsData',
    'middleware' => 'auth',
]);

// AFTER (allows guests):
Route::post('/Market/Products/List', [
    'as'   => 'products.list.data',
    'uses' => ProductController::class . '@listProductsData',
]);
```

## notes
- dictionary: ai-docs/dictionary.md (products table = `prd_items`, product-store pivot = `prd_str`)
- linters: none
- constraints: The controller's `Auth::user()` returns null gracefully for guests in Hypervel — no additional null checks needed.