95 lines
3.3 KiB
PL/PgSQL
95 lines
3.3 KiB
PL/PgSQL
-- Fix RLS Policies for Employees Table (V5 - Architectural Fix)
|
|
-- This version moves user context to the 'users' table to break recursion.
|
|
|
|
-- 1. Extend public.users table (Idempotent)
|
|
DO $$
|
|
BEGIN
|
|
IF NOT EXISTS (SELECT 1 FROM information_schema.columns WHERE table_name='users' AND column_name='role_name') THEN
|
|
ALTER TABLE public.users ADD COLUMN role_name TEXT;
|
|
END IF;
|
|
IF NOT EXISTS (SELECT 1 FROM information_schema.columns WHERE table_name='users' AND column_name='company_id') THEN
|
|
ALTER TABLE public.users ADD COLUMN company_id UUID;
|
|
END IF;
|
|
END $$;
|
|
|
|
-- 2. Create Sync Function
|
|
CREATE OR REPLACE FUNCTION public.sync_user_security_context()
|
|
RETURNS TRIGGER AS $$
|
|
BEGIN
|
|
-- Update the users table when an employee is linked to a user_id
|
|
IF NEW.user_id IS NOT NULL THEN
|
|
UPDATE public.users
|
|
SET
|
|
role_name = (SELECT name FROM public.roles WHERE id = NEW.role_id),
|
|
company_id = NEW.company_id
|
|
WHERE id = NEW.user_id;
|
|
END IF;
|
|
RETURN NEW;
|
|
END;
|
|
$$ LANGUAGE plpgsql SECURITY DEFINER;
|
|
|
|
-- 3. Create Sync Trigger
|
|
DROP TRIGGER IF EXISTS on_employee_security_change ON public.employees;
|
|
CREATE TRIGGER on_employee_security_change
|
|
AFTER INSERT OR UPDATE OF role_id, company_id, user_id ON public.employees
|
|
FOR EACH ROW
|
|
EXECUTE FUNCTION public.sync_user_security_context();
|
|
|
|
-- 4. Initial Sync (Seed existing users)
|
|
UPDATE public.users u
|
|
SET
|
|
role_name = r.name,
|
|
company_id = e.company_id
|
|
FROM public.employees e
|
|
JOIN public.roles r ON e.role_id = r.id
|
|
WHERE e.user_id = u.id;
|
|
|
|
-- 5. Helper Function (Bypass RLS)
|
|
-- This one is now super safe because it only checks 'users' table
|
|
CREATE OR REPLACE FUNCTION public.is_authorized_to_manage(target_company_id UUID)
|
|
RETURNS BOOLEAN AS $$
|
|
BEGIN
|
|
-- Allow if table is empty (initial setup)
|
|
IF NOT EXISTS (SELECT 1 FROM public.employees) THEN
|
|
RETURN TRUE;
|
|
END IF;
|
|
|
|
-- Check users table for cached role info
|
|
-- Since we are querying 'users' from an 'employees' policy, there is NO RECURSION.
|
|
RETURN EXISTS (
|
|
SELECT 1 FROM public.users
|
|
WHERE id = auth.uid()
|
|
AND (role_name = 'admin' OR (role_name = 'manager' AND company_id = target_company_id))
|
|
);
|
|
END;
|
|
$$ LANGUAGE plpgsql SECURITY DEFINER;
|
|
|
|
-- 6. Redefine Employees Policies
|
|
DROP POLICY IF EXISTS "Employees unified select" ON public.employees;
|
|
DROP POLICY IF EXISTS "Employees unified insert" ON public.employees;
|
|
DROP POLICY IF EXISTS "Employees unified update" ON public.employees;
|
|
DROP POLICY IF EXISTS "Employees unified delete" ON public.employees;
|
|
DROP POLICY IF EXISTS "View employees policy" ON public.employees;
|
|
DROP POLICY IF EXISTS "Manage employees policy" ON public.employees;
|
|
DROP POLICY IF EXISTS "Initial setup allowance" ON public.employees;
|
|
|
|
-- SELECT: Colleagues can see each other, Admins see all
|
|
CREATE POLICY "Employees select policy"
|
|
ON public.employees
|
|
FOR SELECT TO authenticated
|
|
USING (
|
|
user_id = auth.uid() -- Can see self
|
|
OR EXISTS (
|
|
SELECT 1 FROM public.users u
|
|
WHERE u.id = auth.uid()
|
|
AND (u.role_name = 'admin' OR u.company_id = employees.company_id)
|
|
)
|
|
);
|
|
|
|
-- INSERT/UPDATE/DELETE
|
|
CREATE POLICY "Employees management policy"
|
|
ON public.employees
|
|
FOR ALL TO authenticated
|
|
USING ( public.is_authorized_to_manage(company_id) )
|
|
WITH CHECK ( public.is_authorized_to_manage(company_id) );
|