95 lines
2.6 KiB
SQL
95 lines
2.6 KiB
SQL
-- SECURITY UPDATES
|
|
-- This script strengthens the RLS policies by enforcing 'admin' role checks
|
|
-- instead of just checking if the user is authenticated.
|
|
|
|
-- 1. PRODUCTS TABLE
|
|
-- Drop existing loose policies
|
|
DROP POLICY IF EXISTS "Authenticated users can insert products." ON products;
|
|
DROP POLICY IF EXISTS "Authenticated users can update products." ON products;
|
|
DROP POLICY IF EXISTS "Authenticated users can delete products." ON products;
|
|
|
|
-- Create strict admin policies
|
|
CREATE POLICY "Admins can insert products"
|
|
ON products FOR INSERT
|
|
WITH CHECK (
|
|
exists (
|
|
select 1 from profiles
|
|
where profiles.id = auth.uid() and profiles.role = 'admin'
|
|
)
|
|
);
|
|
|
|
CREATE POLICY "Admins can update products"
|
|
ON products FOR UPDATE
|
|
USING (
|
|
exists (
|
|
select 1 from profiles
|
|
where profiles.id = auth.uid() and profiles.role = 'admin'
|
|
)
|
|
);
|
|
|
|
CREATE POLICY "Admins can delete products"
|
|
ON products FOR DELETE
|
|
USING (
|
|
exists (
|
|
select 1 from profiles
|
|
where profiles.id = auth.uid() and profiles.role = 'admin'
|
|
)
|
|
);
|
|
|
|
|
|
-- 2. CUSTOMERS TABLE
|
|
-- Drop existing loose policies (if they match the previous loose pattern)
|
|
DROP POLICY IF EXISTS "Admins can insert customers" ON customers;
|
|
DROP POLICY IF EXISTS "Admins can update customers" ON customers;
|
|
DROP POLICY IF EXISTS "Admins can delete customers" ON customers;
|
|
|
|
-- Re-create strict policies (just to be sure, ensuring the subquery check is present)
|
|
CREATE POLICY "Strict Admin Insert Customers"
|
|
ON customers FOR INSERT
|
|
WITH CHECK (
|
|
exists (
|
|
select 1 from profiles
|
|
where profiles.id = auth.uid() and profiles.role = 'admin'
|
|
)
|
|
);
|
|
|
|
CREATE POLICY "Strict Admin Update Customers"
|
|
ON customers FOR UPDATE
|
|
USING (
|
|
exists (
|
|
select 1 from profiles
|
|
where profiles.id = auth.uid() and profiles.role = 'admin'
|
|
)
|
|
);
|
|
|
|
CREATE POLICY "Strict Admin Delete Customers"
|
|
ON customers FOR DELETE
|
|
USING (
|
|
exists (
|
|
select 1 from profiles
|
|
where profiles.id = auth.uid() and profiles.role = 'admin'
|
|
)
|
|
);
|
|
|
|
-- 3. SITE CONTENTS TABLE
|
|
DROP POLICY IF EXISTS "Admin update access" ON site_contents;
|
|
DROP POLICY IF EXISTS "Admin insert access" ON site_contents;
|
|
|
|
CREATE POLICY "Strict Admin Update Site Contents"
|
|
ON site_contents FOR UPDATE
|
|
USING (
|
|
exists (
|
|
select 1 from profiles
|
|
where profiles.id = auth.uid() and profiles.role = 'admin'
|
|
)
|
|
);
|
|
|
|
CREATE POLICY "Strict Admin Insert Site Contents"
|
|
ON site_contents FOR INSERT
|
|
WITH CHECK (
|
|
exists (
|
|
select 1 from profiles
|
|
where profiles.id = auth.uid() and profiles.role = 'admin'
|
|
)
|
|
);
|