-- ============================================================ -- Migration 053: Add TO authenticated to all RLS policies -- Per Supabase docs, policies should specify TO authenticated -- to avoid running auth.uid() checks for anon users (returns NULL). -- Also adds TO anon where public access is needed. -- ============================================================ -- Drop all policies again (clean slate) DO $$ DECLARE r record; BEGIN FOR r IN SELECT schemaname, tablename, policyname FROM pg_policies WHERE schemaname = 'public' LOOP EXECUTE format('DROP POLICY IF EXISTS %I ON %I.%I', r.policyname, r.schemaname, r.tablename); END LOOP; END; $$; -- ── profiles ── CREATE POLICY "Profiles are viewable by everyone" ON public.profiles FOR SELECT TO authenticated USING (true); CREATE POLICY "Users can update own profile" ON public.profiles FOR UPDATE TO authenticated USING ((select auth.uid()) = id); CREATE POLICY "Platform admins can update profiles" ON public.profiles FOR UPDATE TO authenticated USING ((select public.is_platform_admin())); -- ── organizations ── CREATE POLICY "Anyone can create organizations" ON public.organizations FOR INSERT TO authenticated WITH CHECK (true); CREATE POLICY "Members can view their organizations" ON public.organizations FOR SELECT TO authenticated USING ( (select public.is_platform_admin()) OR EXISTS ( SELECT 1 FROM public.org_members om WHERE om.org_id = organizations.id AND om.user_id = (select auth.uid()) ) ); CREATE POLICY "Owners and admins can update organizations" ON public.organizations FOR UPDATE TO authenticated USING ( (select public.is_platform_admin()) OR EXISTS ( SELECT 1 FROM public.org_members om WHERE om.org_id = organizations.id AND om.user_id = (select auth.uid()) AND om.role IN ('owner', 'admin') ) ) WITH CHECK ( (select public.is_platform_admin()) OR EXISTS ( SELECT 1 FROM public.org_members om WHERE om.org_id = organizations.id AND om.user_id = (select auth.uid()) AND om.role IN ('owner', 'admin') ) ); CREATE POLICY "Owners can delete organizations" ON public.organizations FOR DELETE TO authenticated USING ( (select public.is_platform_admin()) OR EXISTS ( SELECT 1 FROM public.org_members om WHERE om.org_id = organizations.id AND om.user_id = (select auth.uid()) AND om.role = 'owner' ) ); -- ── org_members ── CREATE POLICY "Members can view org members" ON public.org_members FOR SELECT TO authenticated USING ( (select public.is_platform_admin()) OR EXISTS ( SELECT 1 FROM public.org_members om2 WHERE om2.org_id = org_members.org_id AND om2.user_id = (select auth.uid()) ) ); CREATE POLICY "Allow member inserts" ON public.org_members FOR INSERT TO authenticated WITH CHECK ( EXISTS ( SELECT 1 FROM public.org_members om WHERE om.org_id = org_members.org_id AND om.user_id = (select auth.uid()) AND om.role IN ('owner', 'admin') ) OR org_members.user_id = (select auth.uid()) ); CREATE POLICY "Owners and admins can manage members" ON public.org_members FOR UPDATE TO authenticated USING ( (select public.is_platform_admin()) OR EXISTS ( SELECT 1 FROM public.org_members om2 WHERE om2.org_id = org_members.org_id AND om2.user_id = (select auth.uid()) AND om2.role IN ('owner', 'admin') ) ) WITH CHECK ( (select public.is_platform_admin()) OR EXISTS ( SELECT 1 FROM public.org_members om2 WHERE om2.org_id = org_members.org_id AND om2.user_id = (select auth.uid()) AND om2.role IN ('owner', 'admin') ) ); CREATE POLICY "Owners and admins can delete members" ON public.org_members FOR DELETE TO authenticated USING ( (select public.is_platform_admin()) OR EXISTS ( SELECT 1 FROM public.org_members om2 WHERE om2.org_id = org_members.org_id AND om2.user_id = (select auth.uid()) AND om2.role IN ('owner', 'admin') ) ); -- ── org_roles ── CREATE POLICY "Org members can view roles" ON public.org_roles FOR SELECT TO authenticated USING ( EXISTS ( SELECT 1 FROM public.org_members om WHERE om.org_id = org_roles.org_id AND om.user_id = (select auth.uid()) ) ); CREATE POLICY "Admins can manage roles" ON public.org_roles FOR ALL TO authenticated USING ( (select public.is_platform_admin()) OR EXISTS ( SELECT 1 FROM public.org_members om WHERE om.org_id = org_roles.org_id AND om.user_id = (select auth.uid()) AND om.role IN ('owner', 'admin') ) ); -- ── org_invites ── CREATE POLICY "Org members can view invites" ON public.org_invites FOR SELECT TO authenticated USING ( EXISTS ( SELECT 1 FROM public.org_members om WHERE om.org_id = org_invites.org_id AND om.user_id = (select auth.uid()) ) ); CREATE POLICY "Anyone can view invite by token" ON public.org_invites FOR SELECT TO anon, authenticated USING (true); CREATE POLICY "Admins can manage invites" ON public.org_invites FOR ALL TO authenticated USING ( (select public.is_platform_admin()) OR EXISTS ( SELECT 1 FROM public.org_members om WHERE om.org_id = org_invites.org_id AND om.user_id = (select auth.uid()) AND om.role IN ('owner', 'admin') ) ); -- ── documents ── CREATE POLICY "Editors can manage documents" ON public.documents FOR ALL TO authenticated USING ( (select public.is_platform_admin()) OR EXISTS ( SELECT 1 FROM public.org_members om WHERE om.org_id = documents.org_id AND om.user_id = (select auth.uid()) ) ) WITH CHECK ( (select public.is_platform_admin()) OR EXISTS ( SELECT 1 FROM public.org_members om WHERE om.org_id = documents.org_id AND om.user_id = (select auth.uid()) ) ); -- ── document_locks ── CREATE POLICY "Org members can view document locks" ON public.document_locks FOR SELECT TO authenticated USING ( EXISTS ( SELECT 1 FROM public.documents d JOIN public.org_members om ON d.org_id = om.org_id WHERE d.id = document_locks.document_id AND om.user_id = (select auth.uid()) ) ); CREATE POLICY "Users can insert their own locks" ON public.document_locks FOR INSERT TO authenticated WITH CHECK (user_id = (select auth.uid())); CREATE POLICY "Users can update their own locks" ON public.document_locks FOR UPDATE TO authenticated USING (user_id = (select auth.uid())); CREATE POLICY "Users can delete locks" ON public.document_locks FOR DELETE TO authenticated USING ( user_id = (select auth.uid()) OR last_heartbeat < (now() - interval '2 minutes') ); -- ── kanban_boards ── CREATE POLICY "Editors can manage boards" ON public.kanban_boards FOR ALL TO authenticated USING ( (select public.is_platform_admin()) OR EXISTS ( SELECT 1 FROM public.org_members om WHERE om.org_id = kanban_boards.org_id AND om.user_id = (select auth.uid()) ) ) WITH CHECK ( (select public.is_platform_admin()) OR EXISTS ( SELECT 1 FROM public.org_members om WHERE om.org_id = kanban_boards.org_id AND om.user_id = (select auth.uid()) ) ); -- ── kanban_columns ── CREATE POLICY "Editors can manage columns" ON public.kanban_columns FOR ALL TO authenticated USING ( EXISTS ( SELECT 1 FROM public.kanban_boards b JOIN public.org_members om ON b.org_id = om.org_id WHERE b.id = kanban_columns.board_id AND om.user_id = (select auth.uid()) ) ); -- ── kanban_cards ── CREATE POLICY "Editors can manage cards" ON public.kanban_cards FOR ALL TO authenticated USING ( EXISTS ( SELECT 1 FROM public.kanban_columns c JOIN public.kanban_boards b ON c.board_id = b.id JOIN public.org_members om ON b.org_id = om.org_id WHERE c.id = kanban_cards.column_id AND om.user_id = (select auth.uid()) ) ); -- ── card_assignees ── CREATE POLICY "Card assignees inherit card access" ON public.card_assignees FOR ALL TO authenticated USING ( EXISTS ( SELECT 1 FROM public.kanban_cards kc JOIN public.kanban_columns kcol ON kcol.id = kc.column_id JOIN public.kanban_boards kb ON kb.id = kcol.board_id JOIN public.org_members om ON om.org_id = kb.org_id WHERE kc.id = card_assignees.card_id AND om.user_id = (select auth.uid()) ) ); -- ── checklist_items (card checklists) ── CREATE POLICY "Editors can manage checklist items" ON public.checklist_items FOR ALL TO authenticated USING ( EXISTS ( SELECT 1 FROM public.kanban_cards c JOIN public.kanban_columns col ON c.column_id = col.id JOIN public.kanban_boards b ON col.board_id = b.id JOIN public.org_members om ON b.org_id = om.org_id WHERE c.id = checklist_items.card_id AND om.user_id = (select auth.uid()) ) ); -- ── kanban_checklist_items ── CREATE POLICY "Checklist items inherit card access" ON public.kanban_checklist_items FOR ALL TO authenticated USING ( EXISTS ( SELECT 1 FROM public.kanban_cards c JOIN public.kanban_columns col ON c.column_id = col.id JOIN public.kanban_boards b ON col.board_id = b.id JOIN public.org_members m ON b.org_id = m.org_id WHERE c.id = kanban_checklist_items.card_id AND m.user_id = (select auth.uid()) ) ); -- ── kanban_comments ── CREATE POLICY "Comments inherit card access" ON public.kanban_comments FOR SELECT TO authenticated USING ( EXISTS ( SELECT 1 FROM public.kanban_cards c JOIN public.kanban_columns col ON c.column_id = col.id JOIN public.kanban_boards b ON col.board_id = b.id JOIN public.org_members m ON b.org_id = m.org_id WHERE c.id = kanban_comments.card_id AND m.user_id = (select auth.uid()) ) ); CREATE POLICY "Users can insert own comments" ON public.kanban_comments FOR INSERT TO authenticated WITH CHECK ( user_id = (select auth.uid()) AND EXISTS ( SELECT 1 FROM public.kanban_cards c JOIN public.kanban_columns col ON c.column_id = col.id JOIN public.kanban_boards b ON col.board_id = b.id JOIN public.org_members m ON b.org_id = m.org_id WHERE c.id = kanban_comments.card_id AND m.user_id = (select auth.uid()) ) ); CREATE POLICY "Users can update own comments" ON public.kanban_comments FOR UPDATE TO authenticated USING (user_id = (select auth.uid())); CREATE POLICY "Users can delete own comments" ON public.kanban_comments FOR DELETE TO authenticated USING (user_id = (select auth.uid())); -- ── kanban_labels ── CREATE POLICY "Labels accessible to org members" ON public.kanban_labels FOR ALL TO authenticated USING ( EXISTS ( SELECT 1 FROM public.org_members m WHERE m.org_id = kanban_labels.org_id AND m.user_id = (select auth.uid()) ) ); -- ── card_labels ── CREATE POLICY "Card labels inherit card access" ON public.card_labels FOR ALL TO authenticated USING ( EXISTS ( SELECT 1 FROM public.kanban_cards c JOIN public.kanban_columns col ON c.column_id = col.id JOIN public.kanban_boards b ON col.board_id = b.id JOIN public.org_members m ON b.org_id = m.org_id WHERE c.id = card_labels.card_id AND m.user_id = (select auth.uid()) ) ); -- ── tags ── CREATE POLICY "Users can view tags in their orgs" ON public.tags FOR SELECT TO authenticated USING ( org_id IN (SELECT org_id FROM public.org_members WHERE user_id = (select auth.uid())) ); CREATE POLICY "Admins can manage tags" ON public.tags FOR ALL TO authenticated USING ( org_id IN ( SELECT org_id FROM public.org_members WHERE user_id = (select auth.uid()) AND role IN ('owner', 'admin') ) ); -- ── card_tags ── CREATE POLICY "Members can manage card tags" ON public.card_tags FOR ALL TO authenticated USING ( tag_id IN ( SELECT id FROM public.tags WHERE org_id IN ( SELECT org_id FROM public.org_members WHERE user_id = (select auth.uid()) ) ) ); -- ── teams ── CREATE POLICY "Users can view teams in their orgs" ON public.teams FOR SELECT TO authenticated USING ( org_id IN (SELECT org_id FROM public.org_members WHERE user_id = (select auth.uid())) ); CREATE POLICY "Admins can manage teams" ON public.teams FOR ALL TO authenticated USING ( org_id IN ( SELECT org_id FROM public.org_members WHERE user_id = (select auth.uid()) AND role IN ('owner', 'admin') ) ); -- ── team_members ── CREATE POLICY "Users can view team members in their orgs" ON public.team_members FOR SELECT TO authenticated USING ( team_id IN ( SELECT id FROM public.teams WHERE org_id IN ( SELECT org_id FROM public.org_members WHERE user_id = (select auth.uid()) ) ) ); CREATE POLICY "Admins can manage team members" ON public.team_members FOR ALL TO authenticated USING ( team_id IN ( SELECT id FROM public.teams WHERE org_id IN ( SELECT org_id FROM public.org_members WHERE user_id = (select auth.uid()) AND role IN ('owner', 'admin') ) ) ); -- ── calendar_events ── CREATE POLICY "Editors can manage events" ON public.calendar_events FOR ALL TO authenticated USING ( (select public.is_platform_admin()) OR EXISTS ( SELECT 1 FROM public.org_members om WHERE om.org_id = calendar_events.org_id AND om.user_id = (select auth.uid()) ) ) WITH CHECK ( (select public.is_platform_admin()) OR EXISTS ( SELECT 1 FROM public.org_members om WHERE om.org_id = calendar_events.org_id AND om.user_id = (select auth.uid()) ) ); -- ── event_attendees ── CREATE POLICY "Org members can manage event attendees" ON public.event_attendees FOR ALL TO authenticated USING ( EXISTS ( SELECT 1 FROM public.events e JOIN public.org_members om ON om.org_id = e.org_id WHERE e.id = event_attendees.event_id AND om.user_id = (select auth.uid()) ) ); -- ── org_google_calendars ── CREATE POLICY "Members can view org calendar" ON public.org_google_calendars FOR SELECT TO authenticated USING ( EXISTS ( SELECT 1 FROM public.org_members WHERE org_members.org_id = org_google_calendars.org_id AND org_members.user_id = (select auth.uid()) ) ); CREATE POLICY "Admins can manage org calendar" ON public.org_google_calendars FOR ALL TO authenticated USING ( EXISTS ( SELECT 1 FROM public.org_members WHERE org_members.org_id = org_google_calendars.org_id AND org_members.user_id = (select auth.uid()) AND org_members.role IN ('admin', 'owner') ) ); -- ── activity_log ── CREATE POLICY "Users can view org activity" ON public.activity_log FOR SELECT TO authenticated USING ( EXISTS ( SELECT 1 FROM public.org_members m WHERE m.org_id = activity_log.org_id AND m.user_id = (select auth.uid()) ) ); CREATE POLICY "Users can insert own activity" ON public.activity_log FOR INSERT TO authenticated WITH CHECK (user_id = (select auth.uid())); -- ── user_preferences ── CREATE POLICY "Users can manage own preferences" ON public.user_preferences FOR ALL TO authenticated USING (user_id = (select auth.uid())); -- ── matrix_credentials ── CREATE POLICY "Users can read own matrix credentials" ON public.matrix_credentials FOR SELECT TO authenticated USING ((select auth.uid()) = user_id); CREATE POLICY "Users can insert own matrix credentials" ON public.matrix_credentials FOR INSERT TO authenticated WITH CHECK ((select auth.uid()) = user_id); CREATE POLICY "Users can update own matrix credentials" ON public.matrix_credentials FOR UPDATE TO authenticated USING ((select auth.uid()) = user_id); CREATE POLICY "Users can delete own matrix credentials" ON public.matrix_credentials FOR DELETE TO authenticated USING ((select auth.uid()) = user_id); -- ── events ── CREATE POLICY "Editors can manage events" ON public.events FOR ALL TO authenticated USING ( (select public.is_platform_admin()) OR EXISTS ( SELECT 1 FROM public.org_members om WHERE om.org_id = events.org_id AND om.user_id = (select auth.uid()) ) ) WITH CHECK ( (select public.is_platform_admin()) OR EXISTS ( SELECT 1 FROM public.org_members om WHERE om.org_id = events.org_id AND om.user_id = (select auth.uid()) ) ); -- ── event_members ── CREATE POLICY "Editors can manage event members" ON public.event_members FOR ALL TO authenticated USING ( (select public.is_platform_admin()) OR EXISTS ( SELECT 1 FROM public.events e JOIN public.org_members om ON e.org_id = om.org_id WHERE e.id = event_members.event_id AND om.user_id = (select auth.uid()) ) ) WITH CHECK ( (select public.is_platform_admin()) OR EXISTS ( SELECT 1 FROM public.events e JOIN public.org_members om ON e.org_id = om.org_id WHERE e.id = event_members.event_id AND om.user_id = (select auth.uid()) ) ); -- ── event_roles ── CREATE POLICY "Editors can manage event roles" ON public.event_roles FOR ALL TO authenticated USING ( EXISTS ( SELECT 1 FROM public.events e JOIN public.org_members om ON e.org_id = om.org_id WHERE e.id = event_roles.event_id AND om.user_id = (select auth.uid()) ) ); -- ── event_departments ── CREATE POLICY "Editors can manage event departments" ON public.event_departments FOR ALL TO authenticated USING ( (select public.is_platform_admin()) OR EXISTS ( SELECT 1 FROM public.events e JOIN public.org_members om ON e.org_id = om.org_id WHERE e.id = event_departments.event_id AND om.user_id = (select auth.uid()) ) ) WITH CHECK ( (select public.is_platform_admin()) OR EXISTS ( SELECT 1 FROM public.events e JOIN public.org_members om ON e.org_id = om.org_id WHERE e.id = event_departments.event_id AND om.user_id = (select auth.uid()) ) ); -- ── event_member_departments ── CREATE POLICY "Editors can manage member departments" ON public.event_member_departments FOR ALL TO authenticated USING ( EXISTS ( SELECT 1 FROM public.event_members em JOIN public.events e ON em.event_id = e.id JOIN public.org_members om ON e.org_id = om.org_id WHERE em.id = event_member_departments.event_member_id AND om.user_id = (select auth.uid()) ) ); -- ── event_task_columns ── CREATE POLICY "Editors can manage event task columns" ON public.event_task_columns FOR ALL TO authenticated USING ( EXISTS ( SELECT 1 FROM public.events e JOIN public.org_members om ON e.org_id = om.org_id WHERE e.id = event_task_columns.event_id AND om.user_id = (select auth.uid()) ) ); -- ── event_tasks ── CREATE POLICY "Editors can manage event tasks" ON public.event_tasks FOR ALL TO authenticated USING ( EXISTS ( SELECT 1 FROM public.events e JOIN public.org_members om ON e.org_id = om.org_id WHERE e.id = event_tasks.event_id AND om.user_id = (select auth.uid()) ) ); -- ── department_dashboards ── CREATE POLICY "Editors can manage department dashboards" ON public.department_dashboards FOR ALL TO authenticated USING ( EXISTS ( SELECT 1 FROM public.event_departments ed JOIN public.events e ON ed.event_id = e.id JOIN public.org_members om ON e.org_id = om.org_id WHERE ed.id = department_dashboards.department_id AND om.user_id = (select auth.uid()) ) ); -- ── dashboard_panels ── CREATE POLICY "Editors can manage dashboard panels" ON public.dashboard_panels FOR ALL TO authenticated USING ( EXISTS ( SELECT 1 FROM public.department_dashboards dd JOIN public.event_departments ed ON dd.department_id = ed.id JOIN public.events e ON ed.event_id = e.id JOIN public.org_members om ON e.org_id = om.org_id WHERE dd.id = dashboard_panels.dashboard_id AND om.user_id = (select auth.uid()) ) ); -- ── department_checklists ── CREATE POLICY "Editors can manage department checklists" ON public.department_checklists FOR ALL TO authenticated USING ( EXISTS ( SELECT 1 FROM public.event_departments ed JOIN public.events e ON ed.event_id = e.id JOIN public.org_members om ON e.org_id = om.org_id WHERE ed.id = department_checklists.department_id AND om.user_id = (select auth.uid()) ) ); -- ── department_checklist_items ── CREATE POLICY "Editors can manage dept checklist items" ON public.department_checklist_items FOR ALL TO authenticated USING ( EXISTS ( SELECT 1 FROM public.department_checklists dc JOIN public.event_departments ed ON dc.department_id = ed.id JOIN public.events e ON ed.event_id = e.id JOIN public.org_members om ON e.org_id = om.org_id WHERE dc.id = department_checklist_items.checklist_id AND om.user_id = (select auth.uid()) ) ); -- ── department_notes ── CREATE POLICY "Editors can manage department notes" ON public.department_notes FOR ALL TO authenticated USING ( EXISTS ( SELECT 1 FROM public.event_departments ed JOIN public.events e ON ed.event_id = e.id JOIN public.org_members om ON e.org_id = om.org_id WHERE ed.id = department_notes.department_id AND om.user_id = (select auth.uid()) ) ); -- ── schedule_stages ── CREATE POLICY "schedule_stages_select" ON public.schedule_stages FOR SELECT TO authenticated USING (EXISTS ( SELECT 1 FROM public.event_departments ed JOIN public.events e ON e.id = ed.event_id JOIN public.org_members om ON om.org_id = e.org_id WHERE ed.id = schedule_stages.department_id AND om.user_id = (select auth.uid()) )); CREATE POLICY "schedule_stages_insert" ON public.schedule_stages FOR INSERT TO authenticated WITH CHECK (EXISTS ( SELECT 1 FROM public.event_departments ed JOIN public.events e ON e.id = ed.event_id JOIN public.org_members om ON om.org_id = e.org_id WHERE ed.id = schedule_stages.department_id AND om.user_id = (select auth.uid()) AND om.role IN ('owner', 'admin', 'editor') )); CREATE POLICY "schedule_stages_update" ON public.schedule_stages FOR UPDATE TO authenticated USING (EXISTS ( SELECT 1 FROM public.event_departments ed JOIN public.events e ON e.id = ed.event_id JOIN public.org_members om ON om.org_id = e.org_id WHERE ed.id = schedule_stages.department_id AND om.user_id = (select auth.uid()) AND om.role IN ('owner', 'admin', 'editor') )); CREATE POLICY "schedule_stages_delete" ON public.schedule_stages FOR DELETE TO authenticated USING (EXISTS ( SELECT 1 FROM public.event_departments ed JOIN public.events e ON e.id = ed.event_id JOIN public.org_members om ON om.org_id = e.org_id WHERE ed.id = schedule_stages.department_id AND om.user_id = (select auth.uid()) AND om.role IN ('owner', 'admin', 'editor') )); -- ── schedule_blocks ── CREATE POLICY "schedule_blocks_select" ON public.schedule_blocks FOR SELECT TO authenticated USING (EXISTS ( SELECT 1 FROM public.event_departments ed JOIN public.events e ON e.id = ed.event_id JOIN public.org_members om ON om.org_id = e.org_id WHERE ed.id = schedule_blocks.department_id AND om.user_id = (select auth.uid()) )); CREATE POLICY "schedule_blocks_insert" ON public.schedule_blocks FOR INSERT TO authenticated WITH CHECK (EXISTS ( SELECT 1 FROM public.event_departments ed JOIN public.events e ON e.id = ed.event_id JOIN public.org_members om ON om.org_id = e.org_id WHERE ed.id = schedule_blocks.department_id AND om.user_id = (select auth.uid()) AND om.role IN ('owner', 'admin', 'editor') )); CREATE POLICY "schedule_blocks_update" ON public.schedule_blocks FOR UPDATE TO authenticated USING (EXISTS ( SELECT 1 FROM public.event_departments ed JOIN public.events e ON e.id = ed.event_id JOIN public.org_members om ON om.org_id = e.org_id WHERE ed.id = schedule_blocks.department_id AND om.user_id = (select auth.uid()) AND om.role IN ('owner', 'admin', 'editor') )); CREATE POLICY "schedule_blocks_delete" ON public.schedule_blocks FOR DELETE TO authenticated USING (EXISTS ( SELECT 1 FROM public.event_departments ed JOIN public.events e ON e.id = ed.event_id JOIN public.org_members om ON om.org_id = e.org_id WHERE ed.id = schedule_blocks.department_id AND om.user_id = (select auth.uid()) AND om.role IN ('owner', 'admin', 'editor') )); -- ── department_contacts ── CREATE POLICY "department_contacts_select" ON public.department_contacts FOR SELECT TO authenticated USING (EXISTS ( SELECT 1 FROM public.event_departments ed JOIN public.events e ON e.id = ed.event_id JOIN public.org_members om ON om.org_id = e.org_id WHERE ed.id = department_contacts.department_id AND om.user_id = (select auth.uid()) )); CREATE POLICY "department_contacts_insert" ON public.department_contacts FOR INSERT TO authenticated WITH CHECK (EXISTS ( SELECT 1 FROM public.event_departments ed JOIN public.events e ON e.id = ed.event_id JOIN public.org_members om ON om.org_id = e.org_id WHERE ed.id = department_contacts.department_id AND om.user_id = (select auth.uid()) AND om.role IN ('owner', 'admin', 'editor') )); CREATE POLICY "department_contacts_update" ON public.department_contacts FOR UPDATE TO authenticated USING (EXISTS ( SELECT 1 FROM public.event_departments ed JOIN public.events e ON e.id = ed.event_id JOIN public.org_members om ON om.org_id = e.org_id WHERE ed.id = department_contacts.department_id AND om.user_id = (select auth.uid()) AND om.role IN ('owner', 'admin', 'editor') )); CREATE POLICY "department_contacts_delete" ON public.department_contacts FOR DELETE TO authenticated USING (EXISTS ( SELECT 1 FROM public.event_departments ed JOIN public.events e ON e.id = ed.event_id JOIN public.org_members om ON om.org_id = e.org_id WHERE ed.id = department_contacts.department_id AND om.user_id = (select auth.uid()) AND om.role IN ('owner', 'admin', 'editor') )); -- ── budget_categories ── CREATE POLICY "Editors can manage budget categories" ON public.budget_categories FOR ALL TO authenticated USING (EXISTS ( SELECT 1 FROM public.event_departments ed JOIN public.events e ON ed.event_id = e.id JOIN public.org_members om ON e.org_id = om.org_id WHERE ed.id = budget_categories.department_id AND om.user_id = (select auth.uid()) )); -- ── budget_items ── CREATE POLICY "Editors can manage budget items" ON public.budget_items FOR ALL TO authenticated USING (EXISTS ( SELECT 1 FROM public.event_departments ed JOIN public.events e ON ed.event_id = e.id JOIN public.org_members om ON e.org_id = om.org_id WHERE ed.id = budget_items.department_id AND om.user_id = (select auth.uid()) )); -- ── sponsor_tiers ── CREATE POLICY "Editors can manage sponsor tiers" ON public.sponsor_tiers FOR ALL TO authenticated USING (EXISTS ( SELECT 1 FROM public.event_departments ed JOIN public.events e ON ed.event_id = e.id JOIN public.org_members om ON e.org_id = om.org_id WHERE ed.id = sponsor_tiers.department_id AND om.user_id = (select auth.uid()) )); -- ── sponsors ── CREATE POLICY "Editors can manage sponsors" ON public.sponsors FOR ALL TO authenticated USING (EXISTS ( SELECT 1 FROM public.event_departments ed JOIN public.events e ON ed.event_id = e.id JOIN public.org_members om ON e.org_id = om.org_id WHERE ed.id = sponsors.department_id AND om.user_id = (select auth.uid()) )); -- ── sponsor_deliverables ── CREATE POLICY "Editors can manage sponsor deliverables" ON public.sponsor_deliverables FOR ALL TO authenticated USING (EXISTS ( SELECT 1 FROM public.sponsors s JOIN public.event_departments ed ON s.department_id = ed.id JOIN public.events e ON ed.event_id = e.id JOIN public.org_members om ON e.org_id = om.org_id WHERE s.id = sponsor_deliverables.sponsor_id AND om.user_id = (select auth.uid()) )); -- ── sponsor_allocations ── CREATE POLICY "sponsor_allocations_select" ON public.sponsor_allocations FOR SELECT TO authenticated USING (EXISTS ( SELECT 1 FROM public.event_departments ed JOIN public.events e ON e.id = ed.event_id JOIN public.org_members om ON om.org_id = e.org_id WHERE ed.id = sponsor_allocations.department_id AND om.user_id = (select auth.uid()) )); CREATE POLICY "sponsor_allocations_insert" ON public.sponsor_allocations FOR INSERT TO authenticated WITH CHECK (EXISTS ( SELECT 1 FROM public.event_departments ed JOIN public.events e ON e.id = ed.event_id JOIN public.org_members om ON om.org_id = e.org_id WHERE ed.id = sponsor_allocations.department_id AND om.user_id = (select auth.uid()) AND om.role IN ('owner', 'admin', 'editor') )); CREATE POLICY "sponsor_allocations_update" ON public.sponsor_allocations FOR UPDATE TO authenticated USING (EXISTS ( SELECT 1 FROM public.event_departments ed JOIN public.events e ON e.id = ed.event_id JOIN public.org_members om ON om.org_id = e.org_id WHERE ed.id = sponsor_allocations.department_id AND om.user_id = (select auth.uid()) AND om.role IN ('owner', 'admin', 'editor') )); CREATE POLICY "sponsor_allocations_delete" ON public.sponsor_allocations FOR DELETE TO authenticated USING (EXISTS ( SELECT 1 FROM public.event_departments ed JOIN public.events e ON e.id = ed.event_id JOIN public.org_members om ON om.org_id = e.org_id WHERE ed.id = sponsor_allocations.department_id AND om.user_id = (select auth.uid()) AND om.role IN ('owner', 'admin', 'editor') )); -- ── org_contacts ── CREATE POLICY "org_contacts_select" ON public.org_contacts FOR SELECT TO authenticated USING (EXISTS ( SELECT 1 FROM public.org_members om WHERE om.org_id = org_contacts.org_id AND om.user_id = (select auth.uid()) )); CREATE POLICY "org_contacts_insert" ON public.org_contacts FOR INSERT TO authenticated WITH CHECK (EXISTS ( SELECT 1 FROM public.org_members om WHERE om.org_id = org_contacts.org_id AND om.user_id = (select auth.uid()) AND om.role IN ('owner', 'admin', 'editor') )); CREATE POLICY "org_contacts_update" ON public.org_contacts FOR UPDATE TO authenticated USING (EXISTS ( SELECT 1 FROM public.org_members om WHERE om.org_id = org_contacts.org_id AND om.user_id = (select auth.uid()) AND om.role IN ('owner', 'admin', 'editor') )); CREATE POLICY "org_contacts_delete" ON public.org_contacts FOR DELETE TO authenticated USING (EXISTS ( SELECT 1 FROM public.org_members om WHERE om.org_id = org_contacts.org_id AND om.user_id = (select auth.uid()) AND om.role IN ('owner', 'admin', 'editor') )); -- ── department_pinned_contacts ── CREATE POLICY "dept_pinned_contacts_select" ON public.department_pinned_contacts FOR SELECT TO authenticated USING (EXISTS ( SELECT 1 FROM public.event_departments ed JOIN public.events e ON e.id = ed.event_id JOIN public.org_members om ON om.org_id = e.org_id WHERE ed.id = department_pinned_contacts.department_id AND om.user_id = (select auth.uid()) )); CREATE POLICY "dept_pinned_contacts_insert" ON public.department_pinned_contacts FOR INSERT TO authenticated WITH CHECK (EXISTS ( SELECT 1 FROM public.event_departments ed JOIN public.events e ON e.id = ed.event_id JOIN public.org_members om ON om.org_id = e.org_id WHERE ed.id = department_pinned_contacts.department_id AND om.user_id = (select auth.uid()) AND om.role IN ('owner', 'admin', 'editor') )); CREATE POLICY "dept_pinned_contacts_delete" ON public.department_pinned_contacts FOR DELETE TO authenticated USING (EXISTS ( SELECT 1 FROM public.event_departments ed JOIN public.events e ON e.id = ed.event_id JOIN public.org_members om ON om.org_id = e.org_id WHERE ed.id = department_pinned_contacts.department_id AND om.user_id = (select auth.uid()) AND om.role IN ('owner', 'admin', 'editor') )); -- ── map_layers ── CREATE POLICY "Org members can view map layers" ON public.map_layers FOR SELECT TO authenticated USING (EXISTS ( SELECT 1 FROM public.event_departments ed JOIN public.events e ON ed.event_id = e.id JOIN public.org_members om ON e.org_id = om.org_id WHERE ed.id = map_layers.department_id AND om.user_id = (select auth.uid()) )); CREATE POLICY "Dept members and editors can insert map layers" ON public.map_layers FOR INSERT TO authenticated WITH CHECK (EXISTS ( SELECT 1 FROM public.event_departments ed JOIN public.events e ON ed.event_id = e.id JOIN public.org_members om ON e.org_id = om.org_id WHERE ed.id = map_layers.department_id AND om.user_id = (select auth.uid()) AND (om.role IN ('owner', 'admin', 'editor') OR EXISTS ( SELECT 1 FROM public.event_member_departments emd JOIN public.event_members em ON emd.event_member_id = em.id WHERE emd.department_id = ed.id AND em.user_id = (select auth.uid()) )) )); CREATE POLICY "Dept members and editors can update map layers" ON public.map_layers FOR UPDATE TO authenticated USING (EXISTS ( SELECT 1 FROM public.event_departments ed JOIN public.events e ON ed.event_id = e.id JOIN public.org_members om ON e.org_id = om.org_id WHERE ed.id = map_layers.department_id AND om.user_id = (select auth.uid()) AND (om.role IN ('owner', 'admin', 'editor') OR EXISTS ( SELECT 1 FROM public.event_member_departments emd JOIN public.event_members em ON emd.event_member_id = em.id WHERE emd.department_id = ed.id AND em.user_id = (select auth.uid()) )) )) WITH CHECK (EXISTS ( SELECT 1 FROM public.event_departments ed JOIN public.events e ON ed.event_id = e.id JOIN public.org_members om ON e.org_id = om.org_id WHERE ed.id = map_layers.department_id AND om.user_id = (select auth.uid()) AND (om.role IN ('owner', 'admin', 'editor') OR EXISTS ( SELECT 1 FROM public.event_member_departments emd JOIN public.event_members em ON emd.event_member_id = em.id WHERE emd.department_id = ed.id AND em.user_id = (select auth.uid()) )) )); CREATE POLICY "Dept members and editors can delete map layers" ON public.map_layers FOR DELETE TO authenticated USING (EXISTS ( SELECT 1 FROM public.event_departments ed JOIN public.events e ON ed.event_id = e.id JOIN public.org_members om ON e.org_id = om.org_id WHERE ed.id = map_layers.department_id AND om.user_id = (select auth.uid()) AND (om.role IN ('owner', 'admin', 'editor') OR EXISTS ( SELECT 1 FROM public.event_member_departments emd JOIN public.event_members em ON emd.event_member_id = em.id WHERE emd.department_id = ed.id AND em.user_id = (select auth.uid()) )) )); -- ── map_pins ── CREATE POLICY "Org members can view map pins" ON public.map_pins FOR SELECT TO authenticated USING (EXISTS ( SELECT 1 FROM public.map_layers ml JOIN public.event_departments ed ON ml.department_id = ed.id JOIN public.events e ON ed.event_id = e.id JOIN public.org_members om ON e.org_id = om.org_id WHERE ml.id = map_pins.layer_id AND om.user_id = (select auth.uid()) )); CREATE POLICY "Dept members and editors can insert map pins" ON public.map_pins FOR INSERT TO authenticated WITH CHECK (EXISTS ( SELECT 1 FROM public.map_layers ml JOIN public.event_departments ed ON ml.department_id = ed.id JOIN public.events e ON ed.event_id = e.id JOIN public.org_members om ON e.org_id = om.org_id WHERE ml.id = map_pins.layer_id AND om.user_id = (select auth.uid()) AND (om.role IN ('owner', 'admin', 'editor') OR EXISTS ( SELECT 1 FROM public.event_member_departments emd JOIN public.event_members em ON emd.event_member_id = em.id WHERE emd.department_id = ed.id AND em.user_id = (select auth.uid()) )) )); CREATE POLICY "Dept members and editors can update map pins" ON public.map_pins FOR UPDATE TO authenticated USING (EXISTS ( SELECT 1 FROM public.map_layers ml JOIN public.event_departments ed ON ml.department_id = ed.id JOIN public.events e ON ed.event_id = e.id JOIN public.org_members om ON e.org_id = om.org_id WHERE ml.id = map_pins.layer_id AND om.user_id = (select auth.uid()) AND (om.role IN ('owner', 'admin', 'editor') OR EXISTS ( SELECT 1 FROM public.event_member_departments emd JOIN public.event_members em ON emd.event_member_id = em.id WHERE emd.department_id = ed.id AND em.user_id = (select auth.uid()) )) )) WITH CHECK (EXISTS ( SELECT 1 FROM public.map_layers ml JOIN public.event_departments ed ON ml.department_id = ed.id JOIN public.events e ON ed.event_id = e.id JOIN public.org_members om ON e.org_id = om.org_id WHERE ml.id = map_pins.layer_id AND om.user_id = (select auth.uid()) AND (om.role IN ('owner', 'admin', 'editor') OR EXISTS ( SELECT 1 FROM public.event_member_departments emd JOIN public.event_members em ON emd.event_member_id = em.id WHERE emd.department_id = ed.id AND em.user_id = (select auth.uid()) )) )); CREATE POLICY "Dept members and editors can delete map pins" ON public.map_pins FOR DELETE TO authenticated USING (EXISTS ( SELECT 1 FROM public.map_layers ml JOIN public.event_departments ed ON ml.department_id = ed.id JOIN public.events e ON ed.event_id = e.id JOIN public.org_members om ON e.org_id = om.org_id WHERE ml.id = map_pins.layer_id AND om.user_id = (select auth.uid()) AND (om.role IN ('owner', 'admin', 'editor') OR EXISTS ( SELECT 1 FROM public.event_member_departments emd JOIN public.event_members em ON emd.event_member_id = em.id WHERE emd.department_id = ed.id AND em.user_id = (select auth.uid()) )) )); -- ── map_shapes ── CREATE POLICY "Org members can view map shapes" ON public.map_shapes FOR SELECT TO authenticated USING (EXISTS ( SELECT 1 FROM public.map_layers ml JOIN public.event_departments ed ON ml.department_id = ed.id JOIN public.events e ON ed.event_id = e.id JOIN public.org_members om ON e.org_id = om.org_id WHERE ml.id = map_shapes.layer_id AND om.user_id = (select auth.uid()) )); CREATE POLICY "Dept members and editors can insert map shapes" ON public.map_shapes FOR INSERT TO authenticated WITH CHECK (EXISTS ( SELECT 1 FROM public.map_layers ml JOIN public.event_departments ed ON ml.department_id = ed.id JOIN public.events e ON ed.event_id = e.id JOIN public.org_members om ON e.org_id = om.org_id WHERE ml.id = map_shapes.layer_id AND om.user_id = (select auth.uid()) AND (om.role IN ('owner', 'admin', 'editor') OR EXISTS ( SELECT 1 FROM public.event_member_departments emd JOIN public.event_members em ON emd.event_member_id = em.id WHERE emd.department_id = ed.id AND em.user_id = (select auth.uid()) )) )); CREATE POLICY "Dept members and editors can update map shapes" ON public.map_shapes FOR UPDATE TO authenticated USING (EXISTS ( SELECT 1 FROM public.map_layers ml JOIN public.event_departments ed ON ml.department_id = ed.id JOIN public.events e ON ed.event_id = e.id JOIN public.org_members om ON e.org_id = om.org_id WHERE ml.id = map_shapes.layer_id AND om.user_id = (select auth.uid()) AND (om.role IN ('owner', 'admin', 'editor') OR EXISTS ( SELECT 1 FROM public.event_member_departments emd JOIN public.event_members em ON emd.event_member_id = em.id WHERE emd.department_id = ed.id AND em.user_id = (select auth.uid()) )) )) WITH CHECK (EXISTS ( SELECT 1 FROM public.map_layers ml JOIN public.event_departments ed ON ml.department_id = ed.id JOIN public.events e ON ed.event_id = e.id JOIN public.org_members om ON e.org_id = om.org_id WHERE ml.id = map_shapes.layer_id AND om.user_id = (select auth.uid()) AND (om.role IN ('owner', 'admin', 'editor') OR EXISTS ( SELECT 1 FROM public.event_member_departments emd JOIN public.event_members em ON emd.event_member_id = em.id WHERE emd.department_id = ed.id AND em.user_id = (select auth.uid()) )) )); CREATE POLICY "Dept members and editors can delete map shapes" ON public.map_shapes FOR DELETE TO authenticated USING (EXISTS ( SELECT 1 FROM public.map_layers ml JOIN public.event_departments ed ON ml.department_id = ed.id JOIN public.events e ON ed.event_id = e.id JOIN public.org_members om ON e.org_id = om.org_id WHERE ml.id = map_shapes.layer_id AND om.user_id = (select auth.uid()) AND (om.role IN ('owner', 'admin', 'editor') OR EXISTS ( SELECT 1 FROM public.event_member_departments emd JOIN public.event_members em ON emd.event_member_id = em.id WHERE emd.department_id = ed.id AND em.user_id = (select auth.uid()) )) ));