pacnpal/thrilltrack-explorer
1
0
Fork 0
mirror of https://github.com/pacnpal/thrilltrack-explorer.git synced 2025-12-20 06:11:11 -05:00
Code Issues Packages Projects Releases Wiki Activity

Fix: Update RLS policies for MFA checks

Browse Source
This commit is contained in:
gpt-engineer-app[bot]
2025-10-17 20:06:00 +00:00
parent c06dd4e362
commit dd95b99238
2 changed files with 56 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/integrations/supabase/types.ts
View File

@@ -3668,6 +3668,10 @@ export type Database = {
Args: Record<PropertyKey, never>
Returns: boolean
}
has_mfa_enabled: {
Args: { _user_id: string }
Returns: boolean
}
has_pending_dependents: {
Args: { item_id: string }
Returns: boolean

52
supabase/migrations/20251017200539_92d5e46f-745a-4570-8bd7-614f27deaf7c.sql Normal file
View File

@@ -0,0 +1,52 @@
-- Create SECURITY DEFINER function to safely check MFA enrollment
CREATE OR REPLACE FUNCTION public.has_mfa_enabled(_user_id uuid)
RETURNS boolean
LANGUAGE sql
STABLE
SECURITY DEFINER
SET search_path = auth, public
AS $$
SELECT EXISTS (
SELECT 1
FROM auth.mfa_factors
WHERE user_id = _user_id
AND status = 'verified'
);
$$;
GRANT EXECUTE ON FUNCTION public.has_mfa_enabled(uuid) TO authenticated;
-- Drop all existing policies on user_roles
DROP POLICY IF EXISTS "Users can view their own roles" ON public.user_roles;
DROP POLICY IF EXISTS "Moderators can manage roles" ON public.user_roles;
DROP POLICY IF EXISTS "Admins can assign moderator roles" ON public.user_roles;
DROP POLICY IF EXISTS "Users can delete their own user role" ON public.user_roles;
DROP POLICY IF EXISTS "Users can insert their own roles" ON public.user_roles;
-- Recreate policies using has_mfa_enabled() function
CREATE POLICY "Users can view their own roles"
ON public.user_roles
FOR SELECT
TO authenticated
USING (auth.uid() = user_id);
CREATE POLICY "Moderators can manage roles"
ON public.user_roles
FOR ALL
TO authenticated
USING (
is_moderator(auth.uid()) AND
(NOT has_mfa_enabled(auth.uid()) OR has_aal2())
)
WITH CHECK (
is_moderator(auth.uid()) AND
(NOT has_mfa_enabled(auth.uid()) OR has_aal2())
);
CREATE POLICY "Users can delete their own user role"
ON public.user_roles
FOR DELETE
TO authenticated
USING (auth.uid() = user_id AND role = 'user');
GRANT SELECT ON public.user_roles TO authenticated;