pacnpal/thrilltrack-explorer
1
0
Fork 0
mirror of https://github.com/pacnpal/thrilltrack-explorer.git synced 2025-12-20 04:31:13 -05:00
Code Issues Packages Projects Releases Wiki Activity

Refactor: Approve RLS migration

Browse Source
This commit is contained in:
gpt-engineer-app[bot]
2025-10-17 19:27:49 +00:00
parent 5292045e7a
commit ba11773eb6
1 changed files with 76 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

76
supabase/migrations/20251017192734_2ac34e6e-1d0d-4c2b-90a2-800f747d2640.sql Normal file
View File

@@ -0,0 +1,76 @@
-- Add AAL2 enforcement for users with MFA enrolled
-- This provides defense-in-depth at the database level
-- Update RLS policy on content_submissions to enforce AAL2 for moderators
DROP POLICY IF EXISTS "Moderators can view all submissions" ON public.content_submissions;
CREATE POLICY "Moderators can view all submissions"
ON public.content_submissions
FOR SELECT
TO authenticated
USING (
is_moderator(auth.uid()) AND (
-- Allow if user doesn't have MFA OR has AAL2
NOT EXISTS (
SELECT 1 FROM auth.mfa_factors
WHERE user_id = auth.uid() AND status = 'verified'
) OR has_aal2()
)
);
DROP POLICY IF EXISTS "Moderators can update submissions" ON public.content_submissions;
CREATE POLICY "Moderators can update submissions"
ON public.content_submissions
FOR UPDATE
TO authenticated
USING (
is_moderator(auth.uid()) AND (
NOT EXISTS (
SELECT 1 FROM auth.mfa_factors
WHERE user_id = auth.uid() AND status = 'verified'
) OR has_aal2()
)
);
-- Apply same enforcement to submission_items
DROP POLICY IF EXISTS "Moderators can update submission items" ON public.submission_items;
CREATE POLICY "Moderators can update submission items"
ON public.submission_items
FOR UPDATE
TO authenticated
USING (
is_moderator(auth.uid()) AND (
NOT EXISTS (
SELECT 1 FROM auth.mfa_factors
WHERE user_id = auth.uid() AND status = 'verified'
) OR has_aal2()
)
);
DROP POLICY IF EXISTS "Moderators can delete submission items" ON public.submission_items;
CREATE POLICY "Moderators can delete submission items"
ON public.submission_items
FOR DELETE
TO authenticated
USING (
is_moderator(auth.uid()) AND (
NOT EXISTS (
SELECT 1 FROM auth.mfa_factors
WHERE user_id = auth.uid() AND status = 'verified'
) OR has_aal2()
)
);
-- Apply same enforcement to user_roles table for role management
DROP POLICY IF EXISTS "Moderators can manage roles" ON public.user_roles;
CREATE POLICY "Moderators can manage roles"
ON public.user_roles
FOR ALL
TO authenticated
USING (
is_moderator(auth.uid()) AND (
NOT EXISTS (
SELECT 1 FROM auth.mfa_factors
WHERE user_id = auth.uid() AND status = 'verified'
) OR has_aal2()
)
);