Personel Sayfası ve Uygulama renk değişiklikleri
This commit is contained in:
76
supabase/migrations/20240317000004_fix_rls_recursion.sql
Normal file
76
supabase/migrations/20240317000004_fix_rls_recursion.sql
Normal file
@@ -0,0 +1,76 @@
|
||||
-- 1. Create SECURITY DEFINER functions to bypass RLS recursion
|
||||
-- We need these functions to check roles and membership without recursing into the same table's RLS policy.
|
||||
|
||||
-- Function to check if a user is an admin
|
||||
CREATE OR REPLACE FUNCTION public.is_admin()
|
||||
RETURNS boolean AS $$
|
||||
BEGIN
|
||||
RETURN EXISTS (
|
||||
SELECT 1 FROM public.employees e
|
||||
INNER JOIN public.roles r ON e.role_id = r.id
|
||||
WHERE e.user_id = auth.uid()
|
||||
AND r.name = 'admin'
|
||||
);
|
||||
END;
|
||||
$$ LANGUAGE plpgsql SECURITY DEFINER;
|
||||
|
||||
-- Function to get the current user's company IDs
|
||||
CREATE OR REPLACE FUNCTION public.get_my_companies()
|
||||
RETURNS SETOF uuid AS $$
|
||||
BEGIN
|
||||
RETURN QUERY SELECT company_id FROM public.employees WHERE user_id = auth.uid();
|
||||
END;
|
||||
$$ LANGUAGE plpgsql SECURITY DEFINER;
|
||||
|
||||
-- 2. Clean up old recursive policies
|
||||
DROP POLICY IF EXISTS "Users can view their own company" ON public.companies;
|
||||
DROP POLICY IF EXISTS "Personal employee record view" ON public.employees;
|
||||
DROP POLICY IF EXISTS "Employees can view colleagues in their company" ON public.employees;
|
||||
DROP POLICY IF EXISTS "Managers can manage employees in their company" ON public.employees;
|
||||
|
||||
-- 3. Create new non-recursive policies
|
||||
|
||||
-- Companies: Users can see companies they belong to
|
||||
CREATE POLICY "View belonging companies"
|
||||
ON public.companies
|
||||
FOR SELECT TO authenticated
|
||||
USING (
|
||||
id IN (SELECT public.get_my_companies())
|
||||
OR public.is_admin()
|
||||
);
|
||||
|
||||
-- Employees: Everyone can see their own record
|
||||
CREATE POLICY "View own employee record"
|
||||
ON public.employees
|
||||
FOR SELECT TO authenticated
|
||||
USING (user_id = auth.uid());
|
||||
|
||||
-- Employees: Admins can see everyone in the companies they belong to
|
||||
CREATE POLICY "Admins can see coworkers"
|
||||
ON public.employees
|
||||
FOR SELECT TO authenticated
|
||||
USING (
|
||||
company_id IN (SELECT public.get_my_companies())
|
||||
AND public.is_admin()
|
||||
);
|
||||
|
||||
-- Employees: Admins can manage coworkers
|
||||
CREATE POLICY "Admins can manage coworkers"
|
||||
ON public.employees
|
||||
FOR ALL TO authenticated
|
||||
USING (
|
||||
company_id IN (SELECT public.get_my_companies())
|
||||
AND public.is_admin()
|
||||
)
|
||||
WITH CHECK (
|
||||
company_id IN (SELECT public.get_my_companies())
|
||||
AND public.is_admin()
|
||||
);
|
||||
|
||||
-- Users: Ensure everyone can see their own profile at least
|
||||
CREATE POLICY "Users can view own profile"
|
||||
ON public.users
|
||||
FOR SELECT TO authenticated
|
||||
USING (auth.uid() = id);
|
||||
|
||||
-- If "Users can view all users" already exists, it's fine.
|
||||
Reference in New Issue
Block a user