Refactor security policies

supabase/migrations/20250929221847_f44d59c9-f44e-46e4-959d-28281d563718.sql

@@ -0,0 +1,53 @@
+-- Fix user_preferences privacy exposure
+-- Drop the overly permissive policy
+DROP POLICY IF EXISTS "Allow reading privacy settings for permission checks" ON public.user_preferences;
+
+-- Create a restricted policy: users can only read their own preferences
+CREATE POLICY "Users can read their own preferences"
+ON public.user_preferences
+FOR SELECT
+TO authenticated
+USING (auth.uid() = user_id);
+
+-- Create a policy for moderators to read all preferences
+CREATE POLICY "Moderators can read all preferences"
+ON public.user_preferences
+FOR SELECT
+TO authenticated
+USING (is_moderator(auth.uid()));
+
+-- Create a security definer function to check if a user's location should be visible
+CREATE OR REPLACE FUNCTION public.can_view_user_location(_viewer_id uuid, _profile_user_id uuid)
+RETURNS boolean
+LANGUAGE plpgsql
+STABLE
+SECURITY DEFINER
+SET search_path = public
+AS $$
+DECLARE
+  user_privacy_settings jsonb;
+BEGIN
+  -- Always allow users to view their own location
+  IF _viewer_id = _profile_user_id THEN
+    RETURN true;
+  END IF;
+
+  -- Allow moderators to view all locations
+  IF is_moderator(_viewer_id) THEN
+    RETURN true;
+  END IF;
+
+  -- Check the user's privacy settings
+  SELECT privacy_settings INTO user_privacy_settings
+  FROM public.user_preferences
+  WHERE user_id = _profile_user_id;
+
+  -- If no privacy settings found, default to not showing location
+  IF user_privacy_settings IS NULL THEN
+    RETURN false;
+  END IF;
+
+  -- Check if the user has enabled location visibility
+  RETURN COALESCE((user_privacy_settings->>'show_location')::boolean, false);
+END;
+$$;