Refactor security policies

2025-12-24 05:11:13 -05:00 · 2025-09-29 22:19:22 +00:00
parent f586b31954
commit 622c9ba064
4 changed files with 88 additions and 29 deletions
--- a/src/components/profile/LocationDisplay.tsx
+++ b/src/components/profile/LocationDisplay.tsx
@@ -19,25 +19,26 @@ export function LocationDisplay({ location, userId, isOwnProfile }: LocationDisp
  }, [userId, isOwnProfile]);

  const fetchLocationPrivacy = async () => {
-    // Always show location for own profile
-    if (isOwnProfile) {
-      setShowLocation(true);
-      return;
-    }
-
    try {
-      const { data } = await supabase
-        .from('user_preferences')
-        .select('privacy_settings')
-        .eq('user_id', userId)
-        .maybeSingle();
+      const { data: { user } } = await supabase.auth.getUser();
+      const viewerId = user?.id;

-      if (data?.privacy_settings) {
-        const settings = data.privacy_settings as any;
-        setShowLocation(settings.show_location || false);
+      // Use the secure function to check location visibility
+      const { data, error } = await supabase
+        .rpc('can_view_user_location', {
+          _viewer_id: viewerId,
+          _profile_user_id: userId
+        });
+
+      if (error) {
+        console.error('Error checking location privacy:', error);
+        setShowLocation(false);
+        return;
      }
+
+      setShowLocation(data || false);
    } catch (error) {
-      console.error('Error fetching location privacy:', error);
+      console.error('Error checking location privacy:', error);
      setShowLocation(false);
    }
  };
--- a/src/components/profile/PersonalLocationDisplay.tsx
+++ b/src/components/profile/PersonalLocationDisplay.tsx
@@ -16,23 +16,24 @@ export function PersonalLocationDisplay({ personalLocation, userId, isOwnProfile
  }, [userId, isOwnProfile]);

  const fetchLocationPrivacy = async () => {
-    // Always show location for own profile
-    if (isOwnProfile) {
-      setShowLocation(true);
-      return;
-    }
-
    try {
-      const { data } = await supabase
-        .from('user_preferences')
-        .select('privacy_settings')
-        .eq('user_id', userId)
-        .maybeSingle();
+      const { data: { user } } = await supabase.auth.getUser();
+      const viewerId = user?.id;

-      if (data?.privacy_settings) {
-        const settings = data.privacy_settings as any;
-        setShowLocation(settings.show_location || false);
+      // Use the secure function to check location visibility
+      const { data, error } = await supabase
+        .rpc('can_view_user_location', {
+          _viewer_id: viewerId,
+          _profile_user_id: userId
+        });
+
+      if (error) {
+        console.error('Error checking location privacy:', error);
+        setShowLocation(false);
+        return;
      }
+
+      setShowLocation(data || false);
    } catch (error) {
      console.error('Error fetching location privacy:', error);
      setShowLocation(false);