From dc53f04d87a45deee064236a8fd1a8efe3ab2f44 Mon Sep 17 00:00:00 2001 From: "gpt-engineer-app[bot]" <159125892+gpt-engineer-app[bot]@users.noreply.github.com> Date: Thu, 9 Oct 2025 12:02:31 +0000 Subject: [PATCH] Fix RLS policy for profiles --- ...9_d8f52c39-b0b6-483d-b6cd-b691c13a79fb.sql | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 supabase/migrations/20251009120109_d8f52c39-b0b6-483d-b6cd-b691c13a79fb.sql diff --git a/supabase/migrations/20251009120109_d8f52c39-b0b6-483d-b6cd-b691c13a79fb.sql b/supabase/migrations/20251009120109_d8f52c39-b0b6-483d-b6cd-b691c13a79fb.sql new file mode 100644 index 00000000..64b33f34 --- /dev/null +++ b/supabase/migrations/20251009120109_d8f52c39-b0b6-483d-b6cd-b691c13a79fb.sql @@ -0,0 +1,30 @@ +-- Fix: Allow authenticated users to view public profiles +-- The filtered_profiles view handles field-level privacy filtering + +-- Drop the confusingly named policy that doesn't actually use the filtered view +DROP POLICY IF EXISTS "Users view own profile or use filtered view" ON public.profiles; + +-- Add a new policy that allows viewing public, non-banned profiles +-- The filtered_profiles view will handle granular field-level access control +CREATE POLICY "Authenticated users can view public profiles" +ON public.profiles +FOR SELECT +TO authenticated +USING ( + -- Users can always see their own profile completely + (auth.uid() = user_id) + OR + -- Users can see public profiles that aren't banned + (privacy_level = 'public' AND NOT banned) + OR + -- Moderators can see all profiles + is_moderator(auth.uid()) +); + +-- Add comment explaining the security model +COMMENT ON POLICY "Authenticated users can view public profiles" ON public.profiles IS +'Allows authenticated users to view public profiles. +Sensitive fields should be accessed through the filtered_profiles view which enforces granular privacy controls. +Users can always see their own complete profile. +Moderators can see all profiles. +Banned profiles are hidden from regular users.'; \ No newline at end of file