-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy path002_basic_rls.sql
More file actions
213 lines (191 loc) · 5.27 KB
/
Copy path002_basic_rls.sql
File metadata and controls
213 lines (191 loc) · 5.27 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
-- ============================================
-- ENABLE RLS on all tables
-- ============================================
ALTER TABLE organizations ENABLE ROW LEVEL SECURITY;
ALTER TABLE organization_members ENABLE ROW LEVEL SECURITY;
ALTER TABLE events ENABLE ROW LEVEL SECURITY;
ALTER TABLE generated_assets ENABLE ROW LEVEL SECURITY;
ALTER TABLE flyers ENABLE ROW LEVEL SECURITY;
-- ============================================
-- RLS POLICIES: ORGANIZATIONS
-- ============================================
-- Users can view organizations they're members of
CREATE POLICY "Users can view their organizations"
ON organizations FOR SELECT
USING (
id IN (
SELECT org_id FROM organization_members
WHERE user_id = auth.uid()
)
);
-- Users can create organizations (they become owner automatically via trigger)
CREATE POLICY "Users can create organizations"
ON organizations FOR INSERT
WITH CHECK (created_by = auth.uid());
-- Only owners can update organizations
CREATE POLICY "Owners can update organizations"
ON organizations FOR UPDATE
USING (
id IN (
SELECT org_id FROM organization_members
WHERE user_id = auth.uid() AND role = 'owner'
)
);
-- Only owners can delete organizations
CREATE POLICY "Owners can delete organizations"
ON organizations FOR DELETE
USING (
id IN (
SELECT org_id FROM organization_members
WHERE user_id = auth.uid() AND role = 'owner'
)
);
-- ============================================
-- RLS POLICIES: ORGANIZATION MEMBERS
-- ============================================
-- Users can view members of their organizations
CREATE POLICY "Users can view org members"
ON organization_members FOR SELECT
USING (
org_id IN (
SELECT org_id FROM organization_members
WHERE user_id = auth.uid()
)
);
-- Owners and admins can add members
CREATE POLICY "Admins can add members"
ON organization_members FOR INSERT
WITH CHECK (
org_id IN (
SELECT org_id FROM organization_members
WHERE user_id = auth.uid() AND role IN ('owner', 'admin')
)
);
-- Owners and admins can remove members
CREATE POLICY "Admins can remove members"
ON organization_members FOR DELETE
USING (
org_id IN (
SELECT org_id FROM organization_members
WHERE user_id = auth.uid() AND role IN ('owner', 'admin')
)
);
-- ============================================
-- RLS POLICIES: EVENTS
-- ============================================
-- Users can view events from their organizations
CREATE POLICY "Users can view org events"
ON events FOR SELECT
USING (
org_id IN (
SELECT org_id FROM organization_members
WHERE user_id = auth.uid()
)
);
-- Users can create events in their organizations
CREATE POLICY "Users can create org events"
ON events FOR INSERT
WITH CHECK (
org_id IN (
SELECT org_id FROM organization_members
WHERE user_id = auth.uid()
)
AND created_by = auth.uid()
);
-- Users can update events in their organizations
CREATE POLICY "Users can update org events"
ON events FOR UPDATE
USING (
org_id IN (
SELECT org_id FROM organization_members
WHERE user_id = auth.uid()
)
);
-- Users can delete events they created
CREATE POLICY "Users can delete their events"
ON events FOR DELETE
USING (
created_by = auth.uid()
OR org_id IN (
SELECT org_id FROM organization_members
WHERE user_id = auth.uid() AND role IN ('owner', 'admin')
)
);
-- ============================================
-- RLS POLICIES: GENERATED ASSETS
-- ============================================
-- Users can view assets for events in their orgs
CREATE POLICY "Users can view org event assets"
ON generated_assets FOR SELECT
USING (
event_id IN (
SELECT id FROM events
WHERE org_id IN (
SELECT org_id FROM organization_members
WHERE user_id = auth.uid()
)
)
);
-- Users can create assets for events in their orgs
CREATE POLICY "Users can create org event assets"
ON generated_assets FOR INSERT
WITH CHECK (
event_id IN (
SELECT id FROM events
WHERE org_id IN (
SELECT org_id FROM organization_members
WHERE user_id = auth.uid()
)
)
);
-- Users can delete assets for events in their orgs
CREATE POLICY "Users can delete org event assets"
ON generated_assets FOR DELETE
USING (
event_id IN (
SELECT id FROM events
WHERE org_id IN (
SELECT org_id FROM organization_members
WHERE user_id = auth.uid()
)
)
);
-- ============================================
-- RLS POLICIES: FLYERS
-- ============================================
-- Users can view flyers for events in their orgs
CREATE POLICY "Users can view org event flyers"
ON flyers FOR SELECT
USING (
event_id IN (
SELECT id FROM events
WHERE org_id IN (
SELECT org_id FROM organization_members
WHERE user_id = auth.uid()
)
)
);
-- Users can create flyers for events in their orgs
CREATE POLICY "Users can create org event flyers"
ON flyers FOR INSERT
WITH CHECK (
event_id IN (
SELECT id FROM events
WHERE org_id IN (
SELECT org_id FROM organization_members
WHERE user_id = auth.uid()
)
)
);
-- Users can delete flyers for events in their orgs
CREATE POLICY "Users can delete org event flyers"
ON flyers FOR DELETE
USING (
event_id IN (
SELECT id FROM events
WHERE org_id IN (
SELECT org_id FROM organization_members
WHERE user_id = auth.uid()
)
)
);