sass/root-org
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
9885f9459d96f7d17dfb3360674e5905db6e747f
root-org/supabase/migrations/053_fix_rls_authenticated.sql
AlacrisDevs a4baa1ad25 Big things, maybe all's better now
2026-02-09 11:36:39 +02:00

973 lines
40 KiB
SQL
Raw Blame History

-- ============================================================
-- Migration 053: Add TO authenticated to all RLS policies
-- Per Supabase docs, policies should specify TO authenticated
-- to avoid running auth.uid() checks for anon users (returns NULL).
-- Also adds TO anon where public access is needed.
-- ============================================================
-- Drop all policies again (clean slate)
DO $$
DECLARE
r record;
BEGIN
FOR r IN
SELECT schemaname, tablename, policyname
FROM pg_policies
WHERE schemaname = 'public'
LOOP
EXECUTE format('DROP POLICY IF EXISTS %I ON %I.%I',
r.policyname, r.schemaname, r.tablename);
END LOOP;
END;
$$;
-- ── profiles ──
CREATE POLICY "Profiles are viewable by everyone" ON public.profiles
FOR SELECT TO authenticated USING (true);
CREATE POLICY "Users can update own profile" ON public.profiles
FOR UPDATE TO authenticated USING ((select auth.uid()) = id);
CREATE POLICY "Platform admins can update profiles" ON public.profiles
FOR UPDATE TO authenticated USING ((select public.is_platform_admin()));
-- ── organizations ──
CREATE POLICY "Anyone can create organizations" ON public.organizations
FOR INSERT TO authenticated WITH CHECK (true);
CREATE POLICY "Members can view their organizations" ON public.organizations
FOR SELECT TO authenticated USING (
(select public.is_platform_admin())
OR EXISTS (
SELECT 1 FROM public.org_members om
WHERE om.org_id = organizations.id AND om.user_id = (select auth.uid())
)
);
CREATE POLICY "Owners and admins can update organizations" ON public.organizations
FOR UPDATE TO authenticated
USING (
(select public.is_platform_admin())
OR EXISTS (
SELECT 1 FROM public.org_members om
WHERE om.org_id = organizations.id AND om.user_id = (select auth.uid()) AND om.role IN ('owner', 'admin')
)
)
WITH CHECK (
(select public.is_platform_admin())
OR EXISTS (
SELECT 1 FROM public.org_members om
WHERE om.org_id = organizations.id AND om.user_id = (select auth.uid()) AND om.role IN ('owner', 'admin')
)
);
CREATE POLICY "Owners can delete organizations" ON public.organizations
FOR DELETE TO authenticated USING (
(select public.is_platform_admin())
OR EXISTS (
SELECT 1 FROM public.org_members om
WHERE om.org_id = organizations.id AND om.user_id = (select auth.uid()) AND om.role = 'owner'
)
);
-- ── org_members ──
CREATE POLICY "Members can view org members" ON public.org_members
FOR SELECT TO authenticated USING (
(select public.is_platform_admin())
OR EXISTS (
SELECT 1 FROM public.org_members om2
WHERE om2.org_id = org_members.org_id AND om2.user_id = (select auth.uid())
)
);
CREATE POLICY "Allow member inserts" ON public.org_members
FOR INSERT TO authenticated WITH CHECK (
EXISTS (
SELECT 1 FROM public.org_members om
WHERE om.org_id = org_members.org_id AND om.user_id = (select auth.uid()) AND om.role IN ('owner', 'admin')
)
OR org_members.user_id = (select auth.uid())
);
CREATE POLICY "Owners and admins can manage members" ON public.org_members
FOR UPDATE TO authenticated
USING (
(select public.is_platform_admin())
OR EXISTS (
SELECT 1 FROM public.org_members om2
WHERE om2.org_id = org_members.org_id AND om2.user_id = (select auth.uid()) AND om2.role IN ('owner', 'admin')
)
)
WITH CHECK (
(select public.is_platform_admin())
OR EXISTS (
SELECT 1 FROM public.org_members om2
WHERE om2.org_id = org_members.org_id AND om2.user_id = (select auth.uid()) AND om2.role IN ('owner', 'admin')
)
);
CREATE POLICY "Owners and admins can delete members" ON public.org_members
FOR DELETE TO authenticated USING (
(select public.is_platform_admin())
OR EXISTS (
SELECT 1 FROM public.org_members om2
WHERE om2.org_id = org_members.org_id AND om2.user_id = (select auth.uid()) AND om2.role IN ('owner', 'admin')
)
);
-- ── org_roles ──
CREATE POLICY "Org members can view roles" ON public.org_roles
FOR SELECT TO authenticated USING (
EXISTS (
SELECT 1 FROM public.org_members om
WHERE om.org_id = org_roles.org_id AND om.user_id = (select auth.uid())
)
);
CREATE POLICY "Admins can manage roles" ON public.org_roles
FOR ALL TO authenticated USING (
(select public.is_platform_admin())
OR EXISTS (
SELECT 1 FROM public.org_members om
WHERE om.org_id = org_roles.org_id AND om.user_id = (select auth.uid()) AND om.role IN ('owner', 'admin')
)
);
-- ── org_invites ──
CREATE POLICY "Org members can view invites" ON public.org_invites
FOR SELECT TO authenticated USING (
EXISTS (
SELECT 1 FROM public.org_members om
WHERE om.org_id = org_invites.org_id AND om.user_id = (select auth.uid())
)
);
CREATE POLICY "Anyone can view invite by token" ON public.org_invites
FOR SELECT TO anon, authenticated USING (true);
CREATE POLICY "Admins can manage invites" ON public.org_invites
FOR ALL TO authenticated USING (
(select public.is_platform_admin())
OR EXISTS (
SELECT 1 FROM public.org_members om
WHERE om.org_id = org_invites.org_id AND om.user_id = (select auth.uid()) AND om.role IN ('owner', 'admin')
)
);
-- ── documents ──
CREATE POLICY "Editors can manage documents" ON public.documents
FOR ALL TO authenticated USING (
(select public.is_platform_admin())
OR EXISTS (
SELECT 1 FROM public.org_members om
WHERE om.org_id = documents.org_id AND om.user_id = (select auth.uid())
)
)
WITH CHECK (
(select public.is_platform_admin())
OR EXISTS (
SELECT 1 FROM public.org_members om
WHERE om.org_id = documents.org_id AND om.user_id = (select auth.uid())
)
);
-- ── document_locks ──
CREATE POLICY "Org members can view document locks" ON public.document_locks
FOR SELECT TO authenticated USING (
EXISTS (
SELECT 1 FROM public.documents d
JOIN public.org_members om ON d.org_id = om.org_id
WHERE d.id = document_locks.document_id AND om.user_id = (select auth.uid())
)
);
CREATE POLICY "Users can insert their own locks" ON public.document_locks
FOR INSERT TO authenticated WITH CHECK (user_id = (select auth.uid()));
CREATE POLICY "Users can update their own locks" ON public.document_locks
FOR UPDATE TO authenticated USING (user_id = (select auth.uid()));
CREATE POLICY "Users can delete locks" ON public.document_locks
FOR DELETE TO authenticated USING (
user_id = (select auth.uid())
OR last_heartbeat < (now() - interval '2 minutes')
);
-- ── kanban_boards ──
CREATE POLICY "Editors can manage boards" ON public.kanban_boards
FOR ALL TO authenticated USING (
(select public.is_platform_admin())
OR EXISTS (
SELECT 1 FROM public.org_members om
WHERE om.org_id = kanban_boards.org_id AND om.user_id = (select auth.uid())
)
)
WITH CHECK (
(select public.is_platform_admin())
OR EXISTS (
SELECT 1 FROM public.org_members om
WHERE om.org_id = kanban_boards.org_id AND om.user_id = (select auth.uid())
)
);
-- ── kanban_columns ──
CREATE POLICY "Editors can manage columns" ON public.kanban_columns
FOR ALL TO authenticated USING (
EXISTS (
SELECT 1 FROM public.kanban_boards b
JOIN public.org_members om ON b.org_id = om.org_id
WHERE b.id = kanban_columns.board_id AND om.user_id = (select auth.uid())
)
);
-- ── kanban_cards ──
CREATE POLICY "Editors can manage cards" ON public.kanban_cards
FOR ALL TO authenticated USING (
EXISTS (
SELECT 1 FROM public.kanban_columns c
JOIN public.kanban_boards b ON c.board_id = b.id
JOIN public.org_members om ON b.org_id = om.org_id
WHERE c.id = kanban_cards.column_id AND om.user_id = (select auth.uid())
)
);
-- ── card_assignees ──
CREATE POLICY "Card assignees inherit card access" ON public.card_assignees
FOR ALL TO authenticated USING (
EXISTS (
SELECT 1 FROM public.kanban_cards kc
JOIN public.kanban_columns kcol ON kcol.id = kc.column_id
JOIN public.kanban_boards kb ON kb.id = kcol.board_id
JOIN public.org_members om ON om.org_id = kb.org_id
WHERE kc.id = card_assignees.card_id AND om.user_id = (select auth.uid())
)
);
-- ── checklist_items (card checklists) ──
CREATE POLICY "Editors can manage checklist items" ON public.checklist_items
FOR ALL TO authenticated USING (
EXISTS (
SELECT 1 FROM public.kanban_cards c
JOIN public.kanban_columns col ON c.column_id = col.id
JOIN public.kanban_boards b ON col.board_id = b.id
JOIN public.org_members om ON b.org_id = om.org_id
WHERE c.id = checklist_items.card_id AND om.user_id = (select auth.uid())
)
);
-- ── kanban_checklist_items ──
CREATE POLICY "Checklist items inherit card access" ON public.kanban_checklist_items
FOR ALL TO authenticated USING (
EXISTS (
SELECT 1 FROM public.kanban_cards c
JOIN public.kanban_columns col ON c.column_id = col.id
JOIN public.kanban_boards b ON col.board_id = b.id
JOIN public.org_members m ON b.org_id = m.org_id
WHERE c.id = kanban_checklist_items.card_id AND m.user_id = (select auth.uid())
)
);
-- ── kanban_comments ──
CREATE POLICY "Comments inherit card access" ON public.kanban_comments
FOR SELECT TO authenticated USING (
EXISTS (
SELECT 1 FROM public.kanban_cards c
JOIN public.kanban_columns col ON c.column_id = col.id
JOIN public.kanban_boards b ON col.board_id = b.id
JOIN public.org_members m ON b.org_id = m.org_id
WHERE c.id = kanban_comments.card_id AND m.user_id = (select auth.uid())
)
);
CREATE POLICY "Users can insert own comments" ON public.kanban_comments
FOR INSERT TO authenticated WITH CHECK (
user_id = (select auth.uid()) AND
EXISTS (
SELECT 1 FROM public.kanban_cards c
JOIN public.kanban_columns col ON c.column_id = col.id
JOIN public.kanban_boards b ON col.board_id = b.id
JOIN public.org_members m ON b.org_id = m.org_id
WHERE c.id = kanban_comments.card_id AND m.user_id = (select auth.uid())
)
);
CREATE POLICY "Users can update own comments" ON public.kanban_comments
FOR UPDATE TO authenticated USING (user_id = (select auth.uid()));
CREATE POLICY "Users can delete own comments" ON public.kanban_comments
FOR DELETE TO authenticated USING (user_id = (select auth.uid()));
-- ── kanban_labels ──
CREATE POLICY "Labels accessible to org members" ON public.kanban_labels
FOR ALL TO authenticated USING (
EXISTS (
SELECT 1 FROM public.org_members m
WHERE m.org_id = kanban_labels.org_id AND m.user_id = (select auth.uid())
)
);
-- ── card_labels ──
CREATE POLICY "Card labels inherit card access" ON public.card_labels
FOR ALL TO authenticated USING (
EXISTS (
SELECT 1 FROM public.kanban_cards c
JOIN public.kanban_columns col ON c.column_id = col.id
JOIN public.kanban_boards b ON col.board_id = b.id
JOIN public.org_members m ON b.org_id = m.org_id
WHERE c.id = card_labels.card_id AND m.user_id = (select auth.uid())
)
);
-- ── tags ──
CREATE POLICY "Users can view tags in their orgs" ON public.tags
FOR SELECT TO authenticated USING (
org_id IN (SELECT org_id FROM public.org_members WHERE user_id = (select auth.uid()))
);
CREATE POLICY "Admins can manage tags" ON public.tags
FOR ALL TO authenticated USING (
org_id IN (
SELECT org_id FROM public.org_members
WHERE user_id = (select auth.uid()) AND role IN ('owner', 'admin')
)
);
-- ── card_tags ──
CREATE POLICY "Members can manage card tags" ON public.card_tags
FOR ALL TO authenticated USING (
tag_id IN (
SELECT id FROM public.tags WHERE org_id IN (
SELECT org_id FROM public.org_members WHERE user_id = (select auth.uid())
)
)
);
-- ── teams ──
CREATE POLICY "Users can view teams in their orgs" ON public.teams
FOR SELECT TO authenticated USING (
org_id IN (SELECT org_id FROM public.org_members WHERE user_id = (select auth.uid()))
);
CREATE POLICY "Admins can manage teams" ON public.teams
FOR ALL TO authenticated USING (
org_id IN (
SELECT org_id FROM public.org_members
WHERE user_id = (select auth.uid()) AND role IN ('owner', 'admin')
)
);
-- ── team_members ──
CREATE POLICY "Users can view team members in their orgs" ON public.team_members
FOR SELECT TO authenticated USING (
team_id IN (
SELECT id FROM public.teams WHERE org_id IN (
SELECT org_id FROM public.org_members WHERE user_id = (select auth.uid())
)
)
);
CREATE POLICY "Admins can manage team members" ON public.team_members
FOR ALL TO authenticated USING (
team_id IN (
SELECT id FROM public.teams WHERE org_id IN (
SELECT org_id FROM public.org_members
WHERE user_id = (select auth.uid()) AND role IN ('owner', 'admin')
)
)
);
-- ── calendar_events ──
CREATE POLICY "Editors can manage events" ON public.calendar_events
FOR ALL TO authenticated USING (
(select public.is_platform_admin())
OR EXISTS (
SELECT 1 FROM public.org_members om
WHERE om.org_id = calendar_events.org_id AND om.user_id = (select auth.uid())
)
)
WITH CHECK (
(select public.is_platform_admin())
OR EXISTS (
SELECT 1 FROM public.org_members om
WHERE om.org_id = calendar_events.org_id AND om.user_id = (select auth.uid())
)
);
-- ── event_attendees ──
CREATE POLICY "Org members can manage event attendees" ON public.event_attendees
FOR ALL TO authenticated USING (
EXISTS (
SELECT 1 FROM public.events e
JOIN public.org_members om ON om.org_id = e.org_id
WHERE e.id = event_attendees.event_id AND om.user_id = (select auth.uid())
)
);
-- ── org_google_calendars ──
CREATE POLICY "Members can view org calendar" ON public.org_google_calendars
FOR SELECT TO authenticated USING (
EXISTS (
SELECT 1 FROM public.org_members
WHERE org_members.org_id = org_google_calendars.org_id AND org_members.user_id = (select auth.uid())
)
);
CREATE POLICY "Admins can manage org calendar" ON public.org_google_calendars
FOR ALL TO authenticated USING (
EXISTS (
SELECT 1 FROM public.org_members
WHERE org_members.org_id = org_google_calendars.org_id
AND org_members.user_id = (select auth.uid())
AND org_members.role IN ('admin', 'owner')
)
);
-- ── activity_log ──
CREATE POLICY "Users can view org activity" ON public.activity_log
FOR SELECT TO authenticated USING (
EXISTS (
SELECT 1 FROM public.org_members m
WHERE m.org_id = activity_log.org_id AND m.user_id = (select auth.uid())
)
);
CREATE POLICY "Users can insert own activity" ON public.activity_log
FOR INSERT TO authenticated WITH CHECK (user_id = (select auth.uid()));
-- ── user_preferences ──
CREATE POLICY "Users can manage own preferences" ON public.user_preferences
FOR ALL TO authenticated USING (user_id = (select auth.uid()));
-- ── matrix_credentials ──
CREATE POLICY "Users can read own matrix credentials" ON public.matrix_credentials
FOR SELECT TO authenticated USING ((select auth.uid()) = user_id);
CREATE POLICY "Users can insert own matrix credentials" ON public.matrix_credentials
FOR INSERT TO authenticated WITH CHECK ((select auth.uid()) = user_id);
CREATE POLICY "Users can update own matrix credentials" ON public.matrix_credentials
FOR UPDATE TO authenticated USING ((select auth.uid()) = user_id);
CREATE POLICY "Users can delete own matrix credentials" ON public.matrix_credentials
FOR DELETE TO authenticated USING ((select auth.uid()) = user_id);
-- ── events ──
CREATE POLICY "Editors can manage events" ON public.events
FOR ALL TO authenticated USING (
(select public.is_platform_admin())
OR EXISTS (
SELECT 1 FROM public.org_members om
WHERE om.org_id = events.org_id AND om.user_id = (select auth.uid())
)
)
WITH CHECK (
(select public.is_platform_admin())
OR EXISTS (
SELECT 1 FROM public.org_members om
WHERE om.org_id = events.org_id AND om.user_id = (select auth.uid())
)
);
-- ── event_members ──
CREATE POLICY "Editors can manage event members" ON public.event_members
FOR ALL TO authenticated USING (
(select public.is_platform_admin())
OR EXISTS (
SELECT 1 FROM public.events e
JOIN public.org_members om ON e.org_id = om.org_id
WHERE e.id = event_members.event_id AND om.user_id = (select auth.uid())
)
)
WITH CHECK (
(select public.is_platform_admin())
OR EXISTS (
SELECT 1 FROM public.events e
JOIN public.org_members om ON e.org_id = om.org_id
WHERE e.id = event_members.event_id AND om.user_id = (select auth.uid())
)
);
-- ── event_roles ──
CREATE POLICY "Editors can manage event roles" ON public.event_roles
FOR ALL TO authenticated USING (
EXISTS (
SELECT 1 FROM public.events e
JOIN public.org_members om ON e.org_id = om.org_id
WHERE e.id = event_roles.event_id AND om.user_id = (select auth.uid())
)
);
-- ── event_departments ──
CREATE POLICY "Editors can manage event departments" ON public.event_departments
FOR ALL TO authenticated USING (
(select public.is_platform_admin())
OR EXISTS (
SELECT 1 FROM public.events e
JOIN public.org_members om ON e.org_id = om.org_id
WHERE e.id = event_departments.event_id AND om.user_id = (select auth.uid())
)
)
WITH CHECK (
(select public.is_platform_admin())
OR EXISTS (
SELECT 1 FROM public.events e
JOIN public.org_members om ON e.org_id = om.org_id
WHERE e.id = event_departments.event_id AND om.user_id = (select auth.uid())
)
);
-- ── event_member_departments ──
CREATE POLICY "Editors can manage member departments" ON public.event_member_departments
FOR ALL TO authenticated USING (
EXISTS (
SELECT 1 FROM public.event_members em
JOIN public.events e ON em.event_id = e.id
JOIN public.org_members om ON e.org_id = om.org_id
WHERE em.id = event_member_departments.event_member_id AND om.user_id = (select auth.uid())
)
);
-- ── event_task_columns ──
CREATE POLICY "Editors can manage event task columns" ON public.event_task_columns
FOR ALL TO authenticated USING (
EXISTS (
SELECT 1 FROM public.events e
JOIN public.org_members om ON e.org_id = om.org_id
WHERE e.id = event_task_columns.event_id AND om.user_id = (select auth.uid())
)
);
-- ── event_tasks ──
CREATE POLICY "Editors can manage event tasks" ON public.event_tasks
FOR ALL TO authenticated USING (
EXISTS (
SELECT 1 FROM public.events e
JOIN public.org_members om ON e.org_id = om.org_id
WHERE e.id = event_tasks.event_id AND om.user_id = (select auth.uid())
)
);
-- ── department_dashboards ──
CREATE POLICY "Editors can manage department dashboards" ON public.department_dashboards
FOR ALL TO authenticated USING (
EXISTS (
SELECT 1 FROM public.event_departments ed
JOIN public.events e ON ed.event_id = e.id
JOIN public.org_members om ON e.org_id = om.org_id
WHERE ed.id = department_dashboards.department_id AND om.user_id = (select auth.uid())
)
);
-- ── dashboard_panels ──
CREATE POLICY "Editors can manage dashboard panels" ON public.dashboard_panels
FOR ALL TO authenticated USING (
EXISTS (
SELECT 1 FROM public.department_dashboards dd
JOIN public.event_departments ed ON dd.department_id = ed.id
JOIN public.events e ON ed.event_id = e.id
JOIN public.org_members om ON e.org_id = om.org_id
WHERE dd.id = dashboard_panels.dashboard_id AND om.user_id = (select auth.uid())
)
);
-- ── department_checklists ──
CREATE POLICY "Editors can manage department checklists" ON public.department_checklists
FOR ALL TO authenticated USING (
EXISTS (
SELECT 1 FROM public.event_departments ed
JOIN public.events e ON ed.event_id = e.id
JOIN public.org_members om ON e.org_id = om.org_id
WHERE ed.id = department_checklists.department_id AND om.user_id = (select auth.uid())
)
);
-- ── department_checklist_items ──
CREATE POLICY "Editors can manage dept checklist items" ON public.department_checklist_items
FOR ALL TO authenticated USING (
EXISTS (
SELECT 1 FROM public.department_checklists dc
JOIN public.event_departments ed ON dc.department_id = ed.id
JOIN public.events e ON ed.event_id = e.id
JOIN public.org_members om ON e.org_id = om.org_id
WHERE dc.id = department_checklist_items.checklist_id AND om.user_id = (select auth.uid())
)
);
-- ── department_notes ──
CREATE POLICY "Editors can manage department notes" ON public.department_notes
FOR ALL TO authenticated USING (
EXISTS (
SELECT 1 FROM public.event_departments ed
JOIN public.events e ON ed.event_id = e.id
JOIN public.org_members om ON e.org_id = om.org_id
WHERE ed.id = department_notes.department_id AND om.user_id = (select auth.uid())
)
);
-- ── schedule_stages ──
CREATE POLICY "schedule_stages_select" ON public.schedule_stages
FOR SELECT TO authenticated USING (EXISTS (
SELECT 1 FROM public.event_departments ed
JOIN public.events e ON e.id = ed.event_id
JOIN public.org_members om ON om.org_id = e.org_id
WHERE ed.id = schedule_stages.department_id AND om.user_id = (select auth.uid())
));
CREATE POLICY "schedule_stages_insert" ON public.schedule_stages
FOR INSERT TO authenticated WITH CHECK (EXISTS (
SELECT 1 FROM public.event_departments ed
JOIN public.events e ON e.id = ed.event_id
JOIN public.org_members om ON om.org_id = e.org_id
WHERE ed.id = schedule_stages.department_id AND om.user_id = (select auth.uid()) AND om.role IN ('owner', 'admin', 'editor')
));
CREATE POLICY "schedule_stages_update" ON public.schedule_stages
FOR UPDATE TO authenticated USING (EXISTS (
SELECT 1 FROM public.event_departments ed
JOIN public.events e ON e.id = ed.event_id
JOIN public.org_members om ON om.org_id = e.org_id
WHERE ed.id = schedule_stages.department_id AND om.user_id = (select auth.uid()) AND om.role IN ('owner', 'admin', 'editor')
));
CREATE POLICY "schedule_stages_delete" ON public.schedule_stages
FOR DELETE TO authenticated USING (EXISTS (
SELECT 1 FROM public.event_departments ed
JOIN public.events e ON e.id = ed.event_id
JOIN public.org_members om ON om.org_id = e.org_id
WHERE ed.id = schedule_stages.department_id AND om.user_id = (select auth.uid()) AND om.role IN ('owner', 'admin', 'editor')
));
-- ── schedule_blocks ──
CREATE POLICY "schedule_blocks_select" ON public.schedule_blocks
FOR SELECT TO authenticated USING (EXISTS (
SELECT 1 FROM public.event_departments ed
JOIN public.events e ON e.id = ed.event_id
JOIN public.org_members om ON om.org_id = e.org_id
WHERE ed.id = schedule_blocks.department_id AND om.user_id = (select auth.uid())
));
CREATE POLICY "schedule_blocks_insert" ON public.schedule_blocks
FOR INSERT TO authenticated WITH CHECK (EXISTS (
SELECT 1 FROM public.event_departments ed
JOIN public.events e ON e.id = ed.event_id
JOIN public.org_members om ON om.org_id = e.org_id
WHERE ed.id = schedule_blocks.department_id AND om.user_id = (select auth.uid()) AND om.role IN ('owner', 'admin', 'editor')
));
CREATE POLICY "schedule_blocks_update" ON public.schedule_blocks
FOR UPDATE TO authenticated USING (EXISTS (
SELECT 1 FROM public.event_departments ed
JOIN public.events e ON e.id = ed.event_id
JOIN public.org_members om ON om.org_id = e.org_id
WHERE ed.id = schedule_blocks.department_id AND om.user_id = (select auth.uid()) AND om.role IN ('owner', 'admin', 'editor')
));
CREATE POLICY "schedule_blocks_delete" ON public.schedule_blocks
FOR DELETE TO authenticated USING (EXISTS (
SELECT 1 FROM public.event_departments ed
JOIN public.events e ON e.id = ed.event_id
JOIN public.org_members om ON om.org_id = e.org_id
WHERE ed.id = schedule_blocks.department_id AND om.user_id = (select auth.uid()) AND om.role IN ('owner', 'admin', 'editor')
));
-- ── department_contacts ──
CREATE POLICY "department_contacts_select" ON public.department_contacts
FOR SELECT TO authenticated USING (EXISTS (
SELECT 1 FROM public.event_departments ed
JOIN public.events e ON e.id = ed.event_id
JOIN public.org_members om ON om.org_id = e.org_id
WHERE ed.id = department_contacts.department_id AND om.user_id = (select auth.uid())
));
CREATE POLICY "department_contacts_insert" ON public.department_contacts
FOR INSERT TO authenticated WITH CHECK (EXISTS (
SELECT 1 FROM public.event_departments ed
JOIN public.events e ON e.id = ed.event_id
JOIN public.org_members om ON om.org_id = e.org_id
WHERE ed.id = department_contacts.department_id AND om.user_id = (select auth.uid()) AND om.role IN ('owner', 'admin', 'editor')
));
CREATE POLICY "department_contacts_update" ON public.department_contacts
FOR UPDATE TO authenticated USING (EXISTS (
SELECT 1 FROM public.event_departments ed
JOIN public.events e ON e.id = ed.event_id
JOIN public.org_members om ON om.org_id = e.org_id
WHERE ed.id = department_contacts.department_id AND om.user_id = (select auth.uid()) AND om.role IN ('owner', 'admin', 'editor')
));
CREATE POLICY "department_contacts_delete" ON public.department_contacts
FOR DELETE TO authenticated USING (EXISTS (
SELECT 1 FROM public.event_departments ed
JOIN public.events e ON e.id = ed.event_id
JOIN public.org_members om ON om.org_id = e.org_id
WHERE ed.id = department_contacts.department_id AND om.user_id = (select auth.uid()) AND om.role IN ('owner', 'admin', 'editor')
));
-- ── budget_categories ──
CREATE POLICY "Editors can manage budget categories" ON public.budget_categories
FOR ALL TO authenticated USING (EXISTS (
SELECT 1 FROM public.event_departments ed
JOIN public.events e ON ed.event_id = e.id
JOIN public.org_members om ON e.org_id = om.org_id
WHERE ed.id = budget_categories.department_id AND om.user_id = (select auth.uid())
));
-- ── budget_items ──
CREATE POLICY "Editors can manage budget items" ON public.budget_items
FOR ALL TO authenticated USING (EXISTS (
SELECT 1 FROM public.event_departments ed
JOIN public.events e ON ed.event_id = e.id
JOIN public.org_members om ON e.org_id = om.org_id
WHERE ed.id = budget_items.department_id AND om.user_id = (select auth.uid())
));
-- ── sponsor_tiers ──
CREATE POLICY "Editors can manage sponsor tiers" ON public.sponsor_tiers
FOR ALL TO authenticated USING (EXISTS (
SELECT 1 FROM public.event_departments ed
JOIN public.events e ON ed.event_id = e.id
JOIN public.org_members om ON e.org_id = om.org_id
WHERE ed.id = sponsor_tiers.department_id AND om.user_id = (select auth.uid())
));
-- ── sponsors ──
CREATE POLICY "Editors can manage sponsors" ON public.sponsors
FOR ALL TO authenticated USING (EXISTS (
SELECT 1 FROM public.event_departments ed
JOIN public.events e ON ed.event_id = e.id
JOIN public.org_members om ON e.org_id = om.org_id
WHERE ed.id = sponsors.department_id AND om.user_id = (select auth.uid())
));
-- ── sponsor_deliverables ──
CREATE POLICY "Editors can manage sponsor deliverables" ON public.sponsor_deliverables
FOR ALL TO authenticated USING (EXISTS (
SELECT 1 FROM public.sponsors s
JOIN public.event_departments ed ON s.department_id = ed.id
JOIN public.events e ON ed.event_id = e.id
JOIN public.org_members om ON e.org_id = om.org_id
WHERE s.id = sponsor_deliverables.sponsor_id AND om.user_id = (select auth.uid())
));
-- ── sponsor_allocations ──
CREATE POLICY "sponsor_allocations_select" ON public.sponsor_allocations
FOR SELECT TO authenticated USING (EXISTS (
SELECT 1 FROM public.event_departments ed
JOIN public.events e ON e.id = ed.event_id
JOIN public.org_members om ON om.org_id = e.org_id
WHERE ed.id = sponsor_allocations.department_id AND om.user_id = (select auth.uid())
));
CREATE POLICY "sponsor_allocations_insert" ON public.sponsor_allocations
FOR INSERT TO authenticated WITH CHECK (EXISTS (
SELECT 1 FROM public.event_departments ed
JOIN public.events e ON e.id = ed.event_id
JOIN public.org_members om ON om.org_id = e.org_id
WHERE ed.id = sponsor_allocations.department_id AND om.user_id = (select auth.uid()) AND om.role IN ('owner', 'admin', 'editor')
));
CREATE POLICY "sponsor_allocations_update" ON public.sponsor_allocations
FOR UPDATE TO authenticated USING (EXISTS (
SELECT 1 FROM public.event_departments ed
JOIN public.events e ON e.id = ed.event_id
JOIN public.org_members om ON om.org_id = e.org_id
WHERE ed.id = sponsor_allocations.department_id AND om.user_id = (select auth.uid()) AND om.role IN ('owner', 'admin', 'editor')
));
CREATE POLICY "sponsor_allocations_delete" ON public.sponsor_allocations
FOR DELETE TO authenticated USING (EXISTS (
SELECT 1 FROM public.event_departments ed
JOIN public.events e ON e.id = ed.event_id
JOIN public.org_members om ON om.org_id = e.org_id
WHERE ed.id = sponsor_allocations.department_id AND om.user_id = (select auth.uid()) AND om.role IN ('owner', 'admin', 'editor')
));
-- ── org_contacts ──
CREATE POLICY "org_contacts_select" ON public.org_contacts
FOR SELECT TO authenticated USING (EXISTS (
SELECT 1 FROM public.org_members om
WHERE om.org_id = org_contacts.org_id AND om.user_id = (select auth.uid())
));
CREATE POLICY "org_contacts_insert" ON public.org_contacts
FOR INSERT TO authenticated WITH CHECK (EXISTS (
SELECT 1 FROM public.org_members om
WHERE om.org_id = org_contacts.org_id AND om.user_id = (select auth.uid()) AND om.role IN ('owner', 'admin', 'editor')
));
CREATE POLICY "org_contacts_update" ON public.org_contacts
FOR UPDATE TO authenticated USING (EXISTS (
SELECT 1 FROM public.org_members om
WHERE om.org_id = org_contacts.org_id AND om.user_id = (select auth.uid()) AND om.role IN ('owner', 'admin', 'editor')
));
CREATE POLICY "org_contacts_delete" ON public.org_contacts
FOR DELETE TO authenticated USING (EXISTS (
SELECT 1 FROM public.org_members om
WHERE om.org_id = org_contacts.org_id AND om.user_id = (select auth.uid()) AND om.role IN ('owner', 'admin', 'editor')
));
-- ── department_pinned_contacts ──
CREATE POLICY "dept_pinned_contacts_select" ON public.department_pinned_contacts
FOR SELECT TO authenticated USING (EXISTS (
SELECT 1 FROM public.event_departments ed
JOIN public.events e ON e.id = ed.event_id
JOIN public.org_members om ON om.org_id = e.org_id
WHERE ed.id = department_pinned_contacts.department_id AND om.user_id = (select auth.uid())
));
CREATE POLICY "dept_pinned_contacts_insert" ON public.department_pinned_contacts
FOR INSERT TO authenticated WITH CHECK (EXISTS (
SELECT 1 FROM public.event_departments ed
JOIN public.events e ON e.id = ed.event_id
JOIN public.org_members om ON om.org_id = e.org_id
WHERE ed.id = department_pinned_contacts.department_id AND om.user_id = (select auth.uid()) AND om.role IN ('owner', 'admin', 'editor')
));
CREATE POLICY "dept_pinned_contacts_delete" ON public.department_pinned_contacts
FOR DELETE TO authenticated USING (EXISTS (
SELECT 1 FROM public.event_departments ed
JOIN public.events e ON e.id = ed.event_id
JOIN public.org_members om ON om.org_id = e.org_id
WHERE ed.id = department_pinned_contacts.department_id AND om.user_id = (select auth.uid()) AND om.role IN ('owner', 'admin', 'editor')
));
-- ── map_layers ──
CREATE POLICY "Org members can view map layers" ON public.map_layers
FOR SELECT TO authenticated USING (EXISTS (
SELECT 1 FROM public.event_departments ed
JOIN public.events e ON ed.event_id = e.id
JOIN public.org_members om ON e.org_id = om.org_id
WHERE ed.id = map_layers.department_id AND om.user_id = (select auth.uid())
));
CREATE POLICY "Dept members and editors can insert map layers" ON public.map_layers
FOR INSERT TO authenticated WITH CHECK (EXISTS (
SELECT 1 FROM public.event_departments ed
JOIN public.events e ON ed.event_id = e.id
JOIN public.org_members om ON e.org_id = om.org_id
WHERE ed.id = map_layers.department_id AND om.user_id = (select auth.uid())
AND (om.role IN ('owner', 'admin', 'editor') OR EXISTS (
SELECT 1 FROM public.event_member_departments emd
JOIN public.event_members em ON emd.event_member_id = em.id
WHERE emd.department_id = ed.id AND em.user_id = (select auth.uid())
))
));
CREATE POLICY "Dept members and editors can update map layers" ON public.map_layers
FOR UPDATE TO authenticated
USING (EXISTS (
SELECT 1 FROM public.event_departments ed
JOIN public.events e ON ed.event_id = e.id
JOIN public.org_members om ON e.org_id = om.org_id
WHERE ed.id = map_layers.department_id AND om.user_id = (select auth.uid())
AND (om.role IN ('owner', 'admin', 'editor') OR EXISTS (
SELECT 1 FROM public.event_member_departments emd
JOIN public.event_members em ON emd.event_member_id = em.id
WHERE emd.department_id = ed.id AND em.user_id = (select auth.uid())
))
))
WITH CHECK (EXISTS (
SELECT 1 FROM public.event_departments ed
JOIN public.events e ON ed.event_id = e.id
JOIN public.org_members om ON e.org_id = om.org_id
WHERE ed.id = map_layers.department_id AND om.user_id = (select auth.uid())
AND (om.role IN ('owner', 'admin', 'editor') OR EXISTS (
SELECT 1 FROM public.event_member_departments emd
JOIN public.event_members em ON emd.event_member_id = em.id
WHERE emd.department_id = ed.id AND em.user_id = (select auth.uid())
))
));
CREATE POLICY "Dept members and editors can delete map layers" ON public.map_layers
FOR DELETE TO authenticated USING (EXISTS (
SELECT 1 FROM public.event_departments ed
JOIN public.events e ON ed.event_id = e.id
JOIN public.org_members om ON e.org_id = om.org_id
WHERE ed.id = map_layers.department_id AND om.user_id = (select auth.uid())
AND (om.role IN ('owner', 'admin', 'editor') OR EXISTS (
SELECT 1 FROM public.event_member_departments emd
JOIN public.event_members em ON emd.event_member_id = em.id
WHERE emd.department_id = ed.id AND em.user_id = (select auth.uid())
))
));
-- ── map_pins ──
CREATE POLICY "Org members can view map pins" ON public.map_pins
FOR SELECT TO authenticated USING (EXISTS (
SELECT 1 FROM public.map_layers ml
JOIN public.event_departments ed ON ml.department_id = ed.id
JOIN public.events e ON ed.event_id = e.id
JOIN public.org_members om ON e.org_id = om.org_id
WHERE ml.id = map_pins.layer_id AND om.user_id = (select auth.uid())
));
CREATE POLICY "Dept members and editors can insert map pins" ON public.map_pins
FOR INSERT TO authenticated WITH CHECK (EXISTS (
SELECT 1 FROM public.map_layers ml
JOIN public.event_departments ed ON ml.department_id = ed.id
JOIN public.events e ON ed.event_id = e.id
JOIN public.org_members om ON e.org_id = om.org_id
WHERE ml.id = map_pins.layer_id AND om.user_id = (select auth.uid())
AND (om.role IN ('owner', 'admin', 'editor') OR EXISTS (
SELECT 1 FROM public.event_member_departments emd
JOIN public.event_members em ON emd.event_member_id = em.id
WHERE emd.department_id = ed.id AND em.user_id = (select auth.uid())
))
));
CREATE POLICY "Dept members and editors can update map pins" ON public.map_pins
FOR UPDATE TO authenticated
USING (EXISTS (
SELECT 1 FROM public.map_layers ml
JOIN public.event_departments ed ON ml.department_id = ed.id
JOIN public.events e ON ed.event_id = e.id
JOIN public.org_members om ON e.org_id = om.org_id
WHERE ml.id = map_pins.layer_id AND om.user_id = (select auth.uid())
AND (om.role IN ('owner', 'admin', 'editor') OR EXISTS (
SELECT 1 FROM public.event_member_departments emd
JOIN public.event_members em ON emd.event_member_id = em.id
WHERE emd.department_id = ed.id AND em.user_id = (select auth.uid())
))
))
WITH CHECK (EXISTS (
SELECT 1 FROM public.map_layers ml
JOIN public.event_departments ed ON ml.department_id = ed.id
JOIN public.events e ON ed.event_id = e.id
JOIN public.org_members om ON e.org_id = om.org_id
WHERE ml.id = map_pins.layer_id AND om.user_id = (select auth.uid())
AND (om.role IN ('owner', 'admin', 'editor') OR EXISTS (
SELECT 1 FROM public.event_member_departments emd
JOIN public.event_members em ON emd.event_member_id = em.id
WHERE emd.department_id = ed.id AND em.user_id = (select auth.uid())
))
));
CREATE POLICY "Dept members and editors can delete map pins" ON public.map_pins
FOR DELETE TO authenticated USING (EXISTS (
SELECT 1 FROM public.map_layers ml
JOIN public.event_departments ed ON ml.department_id = ed.id
JOIN public.events e ON ed.event_id = e.id
JOIN public.org_members om ON e.org_id = om.org_id
WHERE ml.id = map_pins.layer_id AND om.user_id = (select auth.uid())
AND (om.role IN ('owner', 'admin', 'editor') OR EXISTS (
SELECT 1 FROM public.event_member_departments emd
JOIN public.event_members em ON emd.event_member_id = em.id
WHERE emd.department_id = ed.id AND em.user_id = (select auth.uid())
))
));
-- ── map_shapes ──
CREATE POLICY "Org members can view map shapes" ON public.map_shapes
FOR SELECT TO authenticated USING (EXISTS (
SELECT 1 FROM public.map_layers ml
JOIN public.event_departments ed ON ml.department_id = ed.id
JOIN public.events e ON ed.event_id = e.id
JOIN public.org_members om ON e.org_id = om.org_id
WHERE ml.id = map_shapes.layer_id AND om.user_id = (select auth.uid())
));
CREATE POLICY "Dept members and editors can insert map shapes" ON public.map_shapes
FOR INSERT TO authenticated WITH CHECK (EXISTS (
SELECT 1 FROM public.map_layers ml
JOIN public.event_departments ed ON ml.department_id = ed.id
JOIN public.events e ON ed.event_id = e.id
JOIN public.org_members om ON e.org_id = om.org_id
WHERE ml.id = map_shapes.layer_id AND om.user_id = (select auth.uid())
AND (om.role IN ('owner', 'admin', 'editor') OR EXISTS (
SELECT 1 FROM public.event_member_departments emd
JOIN public.event_members em ON emd.event_member_id = em.id
WHERE emd.department_id = ed.id AND em.user_id = (select auth.uid())
))
));
CREATE POLICY "Dept members and editors can update map shapes" ON public.map_shapes
FOR UPDATE TO authenticated
USING (EXISTS (
SELECT 1 FROM public.map_layers ml
JOIN public.event_departments ed ON ml.department_id = ed.id
JOIN public.events e ON ed.event_id = e.id
JOIN public.org_members om ON e.org_id = om.org_id
WHERE ml.id = map_shapes.layer_id AND om.user_id = (select auth.uid())
AND (om.role IN ('owner', 'admin', 'editor') OR EXISTS (
SELECT 1 FROM public.event_member_departments emd
JOIN public.event_members em ON emd.event_member_id = em.id
WHERE emd.department_id = ed.id AND em.user_id = (select auth.uid())
))
))
WITH CHECK (EXISTS (
SELECT 1 FROM public.map_layers ml
JOIN public.event_departments ed ON ml.department_id = ed.id
JOIN public.events e ON ed.event_id = e.id
JOIN public.org_members om ON e.org_id = om.org_id
WHERE ml.id = map_shapes.layer_id AND om.user_id = (select auth.uid())
AND (om.role IN ('owner', 'admin', 'editor') OR EXISTS (
SELECT 1 FROM public.event_member_departments emd
JOIN public.event_members em ON emd.event_member_id = em.id
WHERE emd.department_id = ed.id AND em.user_id = (select auth.uid())
))
));
CREATE POLICY "Dept members and editors can delete map shapes" ON public.map_shapes
FOR DELETE TO authenticated USING (EXISTS (
SELECT 1 FROM public.map_layers ml
JOIN public.event_departments ed ON ml.department_id = ed.id
JOIN public.events e ON ed.event_id = e.id
JOIN public.org_members om ON e.org_id = om.org_id
WHERE ml.id = map_shapes.layer_id AND om.user_id = (select auth.uid())
AND (om.role IN ('owner', 'admin', 'editor') OR EXISTS (
SELECT 1 FROM public.event_member_departments emd
JOIN public.event_members em ON emd.event_member_id = em.id
WHERE emd.department_id = ed.id AND em.user_id = (select auth.uid())
))
));
Reference in New Issue View Git Blame Copy Permalink