mirror of
https://github.com/pacnpal/thrilltrack-explorer.git
synced 2025-12-20 06:31:13 -05:00
Approve RLS optimization plan
This commit is contained in:
gpt-engineer-app[bot]
@@ -0,0 +1,316 @@
|
||||
-- Phase 2: Optimize remaining RLS policies missed in first pass
|
||||
-- Fixes 49 additional policies across versioning, historical, preference, and granular permission tables
|
||||
-- Pattern: auth.uid() → (SELECT auth.uid())
|
||||
-- Pattern: is_moderator(auth.uid()) → is_moderator((SELECT auth.uid()))
|
||||
|
||||
-- ============================================================================
|
||||
-- CORE RELATIONAL TABLES
|
||||
-- ============================================================================
|
||||
|
||||
DROP POLICY IF EXISTS "Moderators can manage ride technical specifications" ON public.ride_technical_specifications;
|
||||
DROP POLICY IF EXISTS "Moderators can manage ride coaster statistics" ON public.ride_coaster_statistics;
|
||||
DROP POLICY IF EXISTS "Moderators can manage ride name history" ON public.ride_name_history;
|
||||
DROP POLICY IF EXISTS "Moderators can manage ride model technical specifications" ON public.ride_model_technical_specifications;
|
||||
|
||||
CREATE POLICY "Moderators can manage ride technical specifications"
|
||||
ON public.ride_technical_specifications FOR ALL
|
||||
TO authenticated
|
||||
USING (is_moderator((SELECT auth.uid())));
|
||||
|
||||
CREATE POLICY "Moderators can manage ride coaster statistics"
|
||||
ON public.ride_coaster_statistics FOR ALL
|
||||
TO authenticated
|
||||
USING (is_moderator((SELECT auth.uid())));
|
||||
|
||||
CREATE POLICY "Moderators can manage ride name history"
|
||||
ON public.ride_name_history FOR ALL
|
||||
TO authenticated
|
||||
USING (is_moderator((SELECT auth.uid())));
|
||||
|
||||
CREATE POLICY "Moderators can manage ride model technical specifications"
|
||||
ON public.ride_model_technical_specifications FOR ALL
|
||||
TO authenticated
|
||||
USING (is_moderator((SELECT auth.uid())));
|
||||
|
||||
-- ============================================================================
|
||||
-- USER/SYSTEM TABLES
|
||||
-- ============================================================================
|
||||
|
||||
DROP POLICY IF EXISTS "Moderators can read all preferences" ON public.user_preferences;
|
||||
DROP POLICY IF EXISTS "Moderators can read analytics" ON public.entity_page_views;
|
||||
DROP POLICY IF EXISTS "Service role only access" ON public.request_metadata;
|
||||
DROP POLICY IF EXISTS "Moderators can view metadata with MFA" ON public.request_metadata;
|
||||
DROP POLICY IF EXISTS "Superusers can manage settings with MFA" ON public.admin_settings;
|
||||
|
||||
CREATE POLICY "Moderators can read all preferences"
|
||||
ON public.user_preferences FOR SELECT
|
||||
TO authenticated
|
||||
USING (is_moderator((SELECT auth.uid())));
|
||||
|
||||
CREATE POLICY "Moderators can read analytics"
|
||||
ON public.entity_page_views FOR SELECT
|
||||
TO authenticated
|
||||
USING (is_moderator((SELECT auth.uid())));
|
||||
|
||||
CREATE POLICY "Service role only access"
|
||||
ON public.request_metadata FOR ALL
|
||||
TO service_role
|
||||
USING (auth.role() = 'service_role');
|
||||
|
||||
CREATE POLICY "Moderators can view metadata with MFA"
|
||||
ON public.request_metadata FOR SELECT
|
||||
TO authenticated
|
||||
USING (is_moderator((SELECT auth.uid())) AND has_aal2());
|
||||
|
||||
CREATE POLICY "Superusers can manage settings with MFA"
|
||||
ON public.admin_settings FOR ALL
|
||||
TO authenticated
|
||||
USING (is_superuser((SELECT auth.uid())) AND has_aal2());
|
||||
|
||||
-- ============================================================================
|
||||
-- HISTORICAL/VERSIONING TABLES
|
||||
-- ============================================================================
|
||||
|
||||
DROP POLICY IF EXISTS "Moderators manage historical parks" ON public.historical_parks;
|
||||
DROP POLICY IF EXISTS "Moderators manage historical rides" ON public.historical_rides;
|
||||
DROP POLICY IF EXISTS "Moderators manage location history" ON public.park_location_history;
|
||||
DROP POLICY IF EXISTS "Moderators view location history" ON public.park_location_history;
|
||||
DROP POLICY IF EXISTS "Moderators can view all archived versions" ON public.entity_versions_archive;
|
||||
DROP POLICY IF EXISTS "Moderators can view all company versions" ON public.company_versions;
|
||||
DROP POLICY IF EXISTS "Moderators can view all park versions" ON public.park_versions;
|
||||
DROP POLICY IF EXISTS "Moderators can view all ride versions" ON public.ride_versions;
|
||||
DROP POLICY IF EXISTS "Moderators can view all ride model versions" ON public.ride_model_versions;
|
||||
|
||||
CREATE POLICY "Moderators manage historical parks"
|
||||
ON public.historical_parks FOR ALL
|
||||
TO authenticated
|
||||
USING (is_moderator((SELECT auth.uid())));
|
||||
|
||||
CREATE POLICY "Moderators manage historical rides"
|
||||
ON public.historical_rides FOR ALL
|
||||
TO authenticated
|
||||
USING (is_moderator((SELECT auth.uid())));
|
||||
|
||||
CREATE POLICY "Moderators manage location history"
|
||||
ON public.park_location_history FOR ALL
|
||||
TO authenticated
|
||||
USING (is_moderator((SELECT auth.uid())));
|
||||
|
||||
CREATE POLICY "Moderators view location history"
|
||||
ON public.park_location_history FOR SELECT
|
||||
TO authenticated
|
||||
USING (is_moderator((SELECT auth.uid())));
|
||||
|
||||
CREATE POLICY "Moderators can view all archived versions"
|
||||
ON public.entity_versions_archive FOR SELECT
|
||||
TO authenticated
|
||||
USING (is_moderator((SELECT auth.uid())));
|
||||
|
||||
CREATE POLICY "Moderators can view all company versions"
|
||||
ON public.company_versions FOR SELECT
|
||||
TO authenticated
|
||||
USING (is_moderator((SELECT auth.uid())));
|
||||
|
||||
CREATE POLICY "Moderators can view all park versions"
|
||||
ON public.park_versions FOR SELECT
|
||||
TO authenticated
|
||||
USING (is_moderator((SELECT auth.uid())));
|
||||
|
||||
CREATE POLICY "Moderators can view all ride versions"
|
||||
ON public.ride_versions FOR SELECT
|
||||
TO authenticated
|
||||
USING (is_moderator((SELECT auth.uid())));
|
||||
|
||||
CREATE POLICY "Moderators can view all ride model versions"
|
||||
ON public.ride_model_versions FOR SELECT
|
||||
TO authenticated
|
||||
USING (is_moderator((SELECT auth.uid())));
|
||||
|
||||
-- ============================================================================
|
||||
-- GRANULAR UPDATE/VIEW POLICIES
|
||||
-- ============================================================================
|
||||
|
||||
DROP POLICY IF EXISTS "Moderators can update photo submission items" ON public.photo_submission_items;
|
||||
DROP POLICY IF EXISTS "Moderators can view all photo submission items" ON public.photo_submission_items;
|
||||
DROP POLICY IF EXISTS "Moderators can update photo submissions" ON public.photo_submissions;
|
||||
DROP POLICY IF EXISTS "Moderators can view all photo submissions" ON public.photo_submissions;
|
||||
DROP POLICY IF EXISTS "Moderators can update profiles for banning" ON public.profiles;
|
||||
DROP POLICY IF EXISTS "Moderators can view all profiles" ON public.profiles;
|
||||
DROP POLICY IF EXISTS "Moderators can update reports" ON public.reports;
|
||||
DROP POLICY IF EXISTS "Moderators can update reports with MFA" ON public.reports;
|
||||
DROP POLICY IF EXISTS "Moderators can view all reports" ON public.reports;
|
||||
DROP POLICY IF EXISTS "Moderators can update review status" ON public.reviews;
|
||||
DROP POLICY IF EXISTS "Moderators can update ride model submissions" ON public.ride_model_submissions;
|
||||
DROP POLICY IF EXISTS "Moderators can view all ride model submissions" ON public.ride_model_submissions;
|
||||
DROP POLICY IF EXISTS "Moderators can update ride submissions" ON public.ride_submissions;
|
||||
DROP POLICY IF EXISTS "Moderators can view all ride submissions" ON public.ride_submissions;
|
||||
DROP POLICY IF EXISTS "Moderators can update submission items" ON public.submission_items;
|
||||
DROP POLICY IF EXISTS "Moderators can update submission items with MFA" ON public.submission_items;
|
||||
DROP POLICY IF EXISTS "Moderators can update timeline submissions" ON public.timeline_event_submissions;
|
||||
DROP POLICY IF EXISTS "Moderators can view all timeline submissions" ON public.timeline_event_submissions;
|
||||
|
||||
CREATE POLICY "Moderators can update photo submission items"
|
||||
ON public.photo_submission_items FOR UPDATE
|
||||
TO authenticated
|
||||
USING (is_moderator((SELECT auth.uid())));
|
||||
|
||||
CREATE POLICY "Moderators can view all photo submission items"
|
||||
ON public.photo_submission_items FOR SELECT
|
||||
TO authenticated
|
||||
USING (is_moderator((SELECT auth.uid())));
|
||||
|
||||
CREATE POLICY "Moderators can update photo submissions"
|
||||
ON public.photo_submissions FOR UPDATE
|
||||
TO authenticated
|
||||
USING (is_moderator((SELECT auth.uid())));
|
||||
|
||||
CREATE POLICY "Moderators can view all photo submissions"
|
||||
ON public.photo_submissions FOR SELECT
|
||||
TO authenticated
|
||||
USING (is_moderator((SELECT auth.uid())));
|
||||
|
||||
CREATE POLICY "Moderators can update profiles for banning"
|
||||
ON public.profiles FOR UPDATE
|
||||
TO authenticated
|
||||
USING (is_moderator((SELECT auth.uid())));
|
||||
|
||||
CREATE POLICY "Moderators can view all profiles"
|
||||
ON public.profiles FOR SELECT
|
||||
TO authenticated
|
||||
USING (is_moderator((SELECT auth.uid())));
|
||||
|
||||
CREATE POLICY "Moderators can update reports"
|
||||
ON public.reports FOR UPDATE
|
||||
TO authenticated
|
||||
USING (is_moderator((SELECT auth.uid())));
|
||||
|
||||
CREATE POLICY "Moderators can update reports with MFA"
|
||||
ON public.reports FOR UPDATE
|
||||
TO authenticated
|
||||
USING (is_moderator((SELECT auth.uid())) AND has_aal2());
|
||||
|
||||
CREATE POLICY "Moderators can view all reports"
|
||||
ON public.reports FOR SELECT
|
||||
TO authenticated
|
||||
USING (is_moderator((SELECT auth.uid())));
|
||||
|
||||
CREATE POLICY "Moderators can update review status"
|
||||
ON public.reviews FOR UPDATE
|
||||
TO authenticated
|
||||
USING (is_moderator((SELECT auth.uid())));
|
||||
|
||||
CREATE POLICY "Moderators can update ride model submissions"
|
||||
ON public.ride_model_submissions FOR UPDATE
|
||||
TO authenticated
|
||||
USING (is_moderator((SELECT auth.uid())));
|
||||
|
||||
CREATE POLICY "Moderators can view all ride model submissions"
|
||||
ON public.ride_model_submissions FOR SELECT
|
||||
TO authenticated
|
||||
USING (is_moderator((SELECT auth.uid())));
|
||||
|
||||
CREATE POLICY "Moderators can update ride submissions"
|
||||
ON public.ride_submissions FOR UPDATE
|
||||
TO authenticated
|
||||
USING (is_moderator((SELECT auth.uid())));
|
||||
|
||||
CREATE POLICY "Moderators can view all ride submissions"
|
||||
ON public.ride_submissions FOR SELECT
|
||||
TO authenticated
|
||||
USING (is_moderator((SELECT auth.uid())));
|
||||
|
||||
CREATE POLICY "Moderators can update submission items"
|
||||
ON public.submission_items FOR UPDATE
|
||||
TO authenticated
|
||||
USING (is_moderator((SELECT auth.uid())));
|
||||
|
||||
CREATE POLICY "Moderators can update submission items with MFA"
|
||||
ON public.submission_items FOR UPDATE
|
||||
TO authenticated
|
||||
USING (is_moderator((SELECT auth.uid())) AND has_aal2());
|
||||
|
||||
CREATE POLICY "Moderators can update timeline submissions"
|
||||
ON public.timeline_event_submissions FOR UPDATE
|
||||
TO authenticated
|
||||
USING (is_moderator((SELECT auth.uid())));
|
||||
|
||||
CREATE POLICY "Moderators can view all timeline submissions"
|
||||
ON public.timeline_event_submissions FOR SELECT
|
||||
TO authenticated
|
||||
USING (is_moderator((SELECT auth.uid())));
|
||||
|
||||
-- ============================================================================
|
||||
-- AUDIT & NOTIFICATION TABLES
|
||||
-- ============================================================================
|
||||
|
||||
DROP POLICY IF EXISTS "Moderators can view all audit logs" ON public.profile_audit_log;
|
||||
DROP POLICY IF EXISTS "System can insert audit logs" ON public.profile_audit_log;
|
||||
DROP POLICY IF EXISTS "Moderators can view all notification logs" ON public.notification_logs;
|
||||
DROP POLICY IF EXISTS "Moderators can view all notification preferences" ON public.user_notification_preferences;
|
||||
DROP POLICY IF EXISTS "Moderators can view all review deletions" ON public.review_deletions;
|
||||
DROP POLICY IF EXISTS "Moderators can view all submission dependencies" ON public.submission_dependencies;
|
||||
DROP POLICY IF EXISTS "Moderators can view test data registry" ON public.test_data_registry;
|
||||
|
||||
CREATE POLICY "Moderators can view all audit logs"
|
||||
ON public.profile_audit_log FOR SELECT
|
||||
TO authenticated
|
||||
USING (is_moderator((SELECT auth.uid())));
|
||||
|
||||
CREATE POLICY "System can insert audit logs"
|
||||
ON public.profile_audit_log FOR INSERT
|
||||
TO service_role
|
||||
WITH CHECK (auth.role() = 'service_role');
|
||||
|
||||
CREATE POLICY "Moderators can view all notification logs"
|
||||
ON public.notification_logs FOR SELECT
|
||||
TO authenticated
|
||||
USING (is_moderator((SELECT auth.uid())));
|
||||
|
||||
CREATE POLICY "Moderators can view all notification preferences"
|
||||
ON public.user_notification_preferences FOR SELECT
|
||||
TO authenticated
|
||||
USING (is_moderator((SELECT auth.uid())));
|
||||
|
||||
CREATE POLICY "Moderators can view all review deletions"
|
||||
ON public.review_deletions FOR SELECT
|
||||
TO authenticated
|
||||
USING (is_moderator((SELECT auth.uid())));
|
||||
|
||||
CREATE POLICY "Moderators can view all submission dependencies"
|
||||
ON public.submission_dependencies FOR SELECT
|
||||
TO authenticated
|
||||
USING (is_moderator((SELECT auth.uid())));
|
||||
|
||||
CREATE POLICY "Moderators can view test data registry"
|
||||
ON public.test_data_registry FOR SELECT
|
||||
TO authenticated
|
||||
USING (is_moderator((SELECT auth.uid())));
|
||||
|
||||
-- ============================================================================
|
||||
-- LEGACY SUBMISSION TABLES
|
||||
-- ============================================================================
|
||||
|
||||
DROP POLICY IF EXISTS "Moderators manage coaster stats" ON public.ride_coaster_stats;
|
||||
DROP POLICY IF EXISTS "Moderators manage model tech specs" ON public.ride_model_technical_specifications;
|
||||
DROP POLICY IF EXISTS "Moderators manage name history" ON public.ride_name_history;
|
||||
DROP POLICY IF EXISTS "Moderators manage ride tech specs" ON public.ride_technical_specifications;
|
||||
|
||||
CREATE POLICY "Moderators manage coaster stats"
|
||||
ON public.ride_coaster_stats FOR ALL
|
||||
TO authenticated
|
||||
USING (is_moderator((SELECT auth.uid())));
|
||||
|
||||
CREATE POLICY "Moderators manage model tech specs"
|
||||
ON public.ride_model_technical_specifications FOR ALL
|
||||
TO authenticated
|
||||
USING (is_moderator((SELECT auth.uid())));
|
||||
|
||||
CREATE POLICY "Moderators manage name history"
|
||||
ON public.ride_name_history FOR ALL
|
||||
TO authenticated
|
||||
USING (is_moderator((SELECT auth.uid())));
|
||||
|
||||
CREATE POLICY "Moderators manage ride tech specs"
|
||||
ON public.ride_technical_specifications FOR ALL
|
||||
TO authenticated
|
||||
USING (is_moderator((SELECT auth.uid())));
|
||||
Reference in New Issue
Block a user