178 lines
7.1 KiB
PL/PgSQL
178 lines
7.1 KiB
PL/PgSQL
-- Custom Roles and Invite System
|
|
|
|
-- Permission types (similar to Google Drive)
|
|
-- viewer: Can view content
|
|
-- commenter: Can view and comment
|
|
-- editor: Can view, comment, and edit content
|
|
-- admin: Can manage members and settings
|
|
-- owner: Full control
|
|
|
|
-- Custom roles table (allows vanity roles with custom permissions)
|
|
CREATE TABLE IF NOT EXISTS org_roles (
|
|
id UUID PRIMARY KEY DEFAULT uuid_generate_v4(),
|
|
org_id UUID REFERENCES organizations(id) ON DELETE CASCADE,
|
|
name TEXT NOT NULL,
|
|
color TEXT DEFAULT '#6366f1', -- For vanity display
|
|
permissions JSONB NOT NULL DEFAULT '[]'::jsonb,
|
|
is_default BOOLEAN DEFAULT false, -- If this is a default role for new members
|
|
is_system BOOLEAN DEFAULT false, -- System roles can't be deleted
|
|
position INTEGER DEFAULT 0, -- For ordering
|
|
created_at TIMESTAMPTZ DEFAULT now(),
|
|
updated_at TIMESTAMPTZ DEFAULT now(),
|
|
UNIQUE(org_id, name)
|
|
);
|
|
|
|
-- Available permissions
|
|
COMMENT ON COLUMN org_roles.permissions IS 'Array of permission strings:
|
|
documents.view, documents.create, documents.edit, documents.delete,
|
|
kanban.view, kanban.create, kanban.edit, kanban.delete,
|
|
calendar.view, calendar.create, calendar.edit, calendar.delete,
|
|
members.view, members.invite, members.manage, members.remove,
|
|
roles.view, roles.create, roles.edit, roles.delete,
|
|
settings.view, settings.edit,
|
|
org.delete';
|
|
|
|
-- Update org_members to reference custom roles
|
|
ALTER TABLE org_members ADD COLUMN IF NOT EXISTS role_id UUID REFERENCES org_roles(id);
|
|
|
|
-- Organization invites
|
|
CREATE TABLE IF NOT EXISTS org_invites (
|
|
id UUID PRIMARY KEY DEFAULT uuid_generate_v4(),
|
|
org_id UUID REFERENCES organizations(id) ON DELETE CASCADE,
|
|
email TEXT NOT NULL,
|
|
role_id UUID REFERENCES org_roles(id),
|
|
role TEXT DEFAULT 'viewer', -- Fallback if no custom role
|
|
invited_by UUID REFERENCES auth.users(id),
|
|
token TEXT UNIQUE NOT NULL DEFAULT encode(gen_random_bytes(32), 'hex'),
|
|
expires_at TIMESTAMPTZ DEFAULT (now() + interval '7 days'),
|
|
accepted_at TIMESTAMPTZ,
|
|
created_at TIMESTAMPTZ DEFAULT now(),
|
|
UNIQUE(org_id, email)
|
|
);
|
|
|
|
-- Indexes
|
|
CREATE INDEX IF NOT EXISTS idx_org_roles_org ON org_roles(org_id);
|
|
CREATE INDEX IF NOT EXISTS idx_org_invites_org ON org_invites(org_id);
|
|
CREATE INDEX IF NOT EXISTS idx_org_invites_token ON org_invites(token);
|
|
CREATE INDEX IF NOT EXISTS idx_org_invites_email ON org_invites(email);
|
|
|
|
-- RLS for org_roles
|
|
ALTER TABLE org_roles ENABLE ROW LEVEL SECURITY;
|
|
|
|
CREATE POLICY "Org members can view roles" ON org_roles FOR SELECT
|
|
USING (EXISTS (
|
|
SELECT 1 FROM org_members om
|
|
WHERE om.org_id = org_roles.org_id AND om.user_id = auth.uid()
|
|
));
|
|
|
|
CREATE POLICY "Admins can manage roles" ON org_roles FOR ALL
|
|
USING (EXISTS (
|
|
SELECT 1 FROM org_members om
|
|
WHERE om.org_id = org_roles.org_id
|
|
AND om.user_id = auth.uid()
|
|
AND om.role IN ('owner', 'admin')
|
|
));
|
|
|
|
-- RLS for org_invites
|
|
ALTER TABLE org_invites ENABLE ROW LEVEL SECURITY;
|
|
|
|
CREATE POLICY "Org members can view invites" ON org_invites FOR SELECT
|
|
USING (EXISTS (
|
|
SELECT 1 FROM org_members om
|
|
WHERE om.org_id = org_invites.org_id AND om.user_id = auth.uid()
|
|
));
|
|
|
|
CREATE POLICY "Admins can manage invites" ON org_invites FOR ALL
|
|
USING (EXISTS (
|
|
SELECT 1 FROM org_members om
|
|
WHERE om.org_id = org_invites.org_id
|
|
AND om.user_id = auth.uid()
|
|
AND om.role IN ('owner', 'admin')
|
|
));
|
|
|
|
-- Anyone can view invite by token (for accepting)
|
|
CREATE POLICY "Anyone can view invite by token" ON org_invites FOR SELECT
|
|
USING (true);
|
|
|
|
-- Function to create default roles for new org
|
|
CREATE OR REPLACE FUNCTION create_default_org_roles()
|
|
RETURNS TRIGGER AS $$
|
|
BEGIN
|
|
-- Owner role (full permissions)
|
|
INSERT INTO org_roles (org_id, name, color, permissions, is_system, position) VALUES
|
|
(NEW.id, 'Owner', '#ef4444', '["*"]'::jsonb, true, 0);
|
|
|
|
-- Admin role
|
|
INSERT INTO org_roles (org_id, name, color, permissions, is_system, position) VALUES
|
|
(NEW.id, 'Admin', '#f59e0b', '[
|
|
"documents.view", "documents.create", "documents.edit", "documents.delete",
|
|
"kanban.view", "kanban.create", "kanban.edit", "kanban.delete",
|
|
"calendar.view", "calendar.create", "calendar.edit", "calendar.delete",
|
|
"members.view", "members.invite", "members.manage",
|
|
"roles.view", "settings.view", "settings.edit"
|
|
]'::jsonb, true, 1);
|
|
|
|
-- Editor role
|
|
INSERT INTO org_roles (org_id, name, color, permissions, is_system, is_default, position) VALUES
|
|
(NEW.id, 'Editor', '#10b981', '[
|
|
"documents.view", "documents.create", "documents.edit",
|
|
"kanban.view", "kanban.create", "kanban.edit",
|
|
"calendar.view", "calendar.create", "calendar.edit",
|
|
"members.view"
|
|
]'::jsonb, true, true, 2);
|
|
|
|
-- Commenter role
|
|
INSERT INTO org_roles (org_id, name, color, permissions, is_system, position) VALUES
|
|
(NEW.id, 'Commenter', '#6366f1', '[
|
|
"documents.view",
|
|
"kanban.view",
|
|
"calendar.view",
|
|
"members.view"
|
|
]'::jsonb, true, 3);
|
|
|
|
-- Viewer role
|
|
INSERT INTO org_roles (org_id, name, color, permissions, is_system, position) VALUES
|
|
(NEW.id, 'Viewer', '#8b5cf6', '[
|
|
"documents.view",
|
|
"kanban.view",
|
|
"calendar.view",
|
|
"members.view"
|
|
]'::jsonb, true, 4);
|
|
|
|
RETURN NEW;
|
|
END;
|
|
$$ LANGUAGE plpgsql;
|
|
|
|
-- Trigger to create default roles
|
|
DROP TRIGGER IF EXISTS on_org_created_create_roles ON organizations;
|
|
CREATE TRIGGER on_org_created_create_roles
|
|
AFTER INSERT ON organizations
|
|
FOR EACH ROW EXECUTE FUNCTION create_default_org_roles();
|
|
|
|
-- Insert default roles for existing organizations
|
|
DO $$
|
|
DECLARE
|
|
org RECORD;
|
|
BEGIN
|
|
FOR org IN SELECT id FROM organizations LOOP
|
|
-- Only insert if no roles exist
|
|
IF NOT EXISTS (SELECT 1 FROM org_roles WHERE org_id = org.id) THEN
|
|
-- Owner role
|
|
INSERT INTO org_roles (org_id, name, color, permissions, is_system, position) VALUES
|
|
(org.id, 'Owner', '#ef4444', '["*"]'::jsonb, true, 0);
|
|
-- Admin role
|
|
INSERT INTO org_roles (org_id, name, color, permissions, is_system, position) VALUES
|
|
(org.id, 'Admin', '#f59e0b', '["documents.view", "documents.create", "documents.edit", "documents.delete", "kanban.view", "kanban.create", "kanban.edit", "kanban.delete", "calendar.view", "calendar.create", "calendar.edit", "calendar.delete", "members.view", "members.invite", "members.manage", "roles.view", "settings.view", "settings.edit"]'::jsonb, true, 1);
|
|
-- Editor role
|
|
INSERT INTO org_roles (org_id, name, color, permissions, is_system, is_default, position) VALUES
|
|
(org.id, 'Editor', '#10b981', '["documents.view", "documents.create", "documents.edit", "kanban.view", "kanban.create", "kanban.edit", "calendar.view", "calendar.create", "calendar.edit", "members.view"]'::jsonb, true, true, 2);
|
|
-- Commenter role
|
|
INSERT INTO org_roles (org_id, name, color, permissions, is_system, position) VALUES
|
|
(org.id, 'Commenter', '#6366f1', '["documents.view", "kanban.view", "calendar.view", "members.view"]'::jsonb, true, 3);
|
|
-- Viewer role
|
|
INSERT INTO org_roles (org_id, name, color, permissions, is_system, position) VALUES
|
|
(org.id, 'Viewer', '#8b5cf6', '["documents.view", "kanban.view", "calendar.view", "members.view"]'::jsonb, true, 4);
|
|
END IF;
|
|
END LOOP;
|
|
END $$;
|