pacnpal/thrilltrack-explorer
1
0
Fork 0
mirror of https://github.com/pacnpal/thrilltrack-explorer.git synced 2025-12-22 15:31:12 -05:00
Code Issues Packages Projects Releases Wiki Activity

Fix: Correct RLS policies and function security

Browse Source
This commit is contained in:
gpt-engineer-app[bot]
2025-10-06 16:50:00 +00:00
parent 02a9fdad84
commit fae8542c45
5 changed files with 447 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

86
src/lib/entitySubmissionHelpers.ts
View File

@@ -116,10 +116,29 @@ export interface RideFormData {
card_image_id?: string;
}
/**
* ⚠️ CRITICAL SECURITY PATTERN ⚠️
*
* Submits a new park for creation through the moderation queue.
* This is the ONLY correct way to create parks.
*
* DO NOT use direct database inserts:
* ❌ await supabase.from('parks').insert(data) // BYPASSES MODERATION!
* ✅ await submitParkCreation(data, userId) // CORRECT
*
* Flow: User Submit → Moderation Queue → Approval → Versioning → Live
*
* Even moderators/admins must use this function to ensure proper versioning and audit trails.
*
* @see docs/SUBMISSION_FLOW.md for complete documentation
* @param data - The park form data to submit
* @param userId - The ID of the user submitting the park
* @returns Object containing submitted boolean and submissionId
*/
export async function submitParkCreation(
data: ParkFormData,
userId: string
) {
): Promise<{ submitted: boolean; submissionId: string }> {
// Upload any pending local images first
let processedImages = data.images;
if (data.images?.uploaded && data.images.uploaded.length > 0) {
@@ -165,11 +184,31 @@ export async function submitParkCreation(
return { submitted: true, submissionId: submissionData.id };
}
/**
* ⚠️ CRITICAL SECURITY PATTERN ⚠️
*
* Submits an update to an existing park through the moderation queue.
* This is the ONLY correct way to update parks.
*
* DO NOT use direct database updates:
* ❌ await supabase.from('parks').update(data) // BYPASSES MODERATION!
* ✅ await submitParkUpdate(parkId, data, userId) // CORRECT
*
* Flow: User Submit → Moderation Queue → Approval → Versioning → Live
*
* Even moderators/admins must use this function to ensure proper versioning and audit trails.
*
* @see docs/SUBMISSION_FLOW.md for complete documentation
* @param parkId - The ID of the park to update
* @param data - The updated park form data
* @param userId - The ID of the user submitting the update
* @returns Object containing submitted boolean and submissionId
*/
export async function submitParkUpdate(
parkId: string,
data: ParkFormData,
userId: string
) {
): Promise<{ submitted: boolean; submissionId: string }> {
// Fetch existing park data first
const { data: existingPark, error: fetchError } = await supabase
.from('parks')
@@ -228,10 +267,29 @@ export async function submitParkUpdate(
return { submitted: true, submissionId: submissionData.id };
}
/**
* ⚠️ CRITICAL SECURITY PATTERN ⚠️
*
* Submits a new ride for creation through the moderation queue.
* This is the ONLY correct way to create rides.
*
* DO NOT use direct database inserts:
* ❌ await supabase.from('rides').insert(data) // BYPASSES MODERATION!
* ✅ await submitRideCreation(data, userId) // CORRECT
*
* Flow: User Submit → Moderation Queue → Approval → Versioning → Live
*
* Even moderators/admins must use this function to ensure proper versioning and audit trails.
*
* @see docs/SUBMISSION_FLOW.md for complete documentation
* @param data - The ride form data to submit
* @param userId - The ID of the user submitting the ride
* @returns Object containing submitted boolean and submissionId
*/
export async function submitRideCreation(
data: RideFormData,
userId: string
) {
): Promise<{ submitted: boolean; submissionId: string }> {
// Upload any pending local images first
let processedImages = data.images;
if (data.images?.uploaded && data.images.uploaded.length > 0) {
@@ -277,11 +335,31 @@ export async function submitRideCreation(
return { submitted: true, submissionId: submissionData.id };
}
/**
* ⚠️ CRITICAL SECURITY PATTERN ⚠️
*
* Submits an update to an existing ride through the moderation queue.
* This is the ONLY correct way to update rides.
*
* DO NOT use direct database updates:
* ❌ await supabase.from('rides').update(data) // BYPASSES MODERATION!
* ✅ await submitRideUpdate(rideId, data, userId) // CORRECT
*
* Flow: User Submit → Moderation Queue → Approval → Versioning → Live
*
* Even moderators/admins must use this function to ensure proper versioning and audit trails.
*
* @see docs/SUBMISSION_FLOW.md for complete documentation
* @param rideId - The ID of the ride to update
* @param data - The updated ride form data
* @param userId - The ID of the user submitting the update
* @returns Object containing submitted boolean and submissionId
*/
export async function submitRideUpdate(
rideId: string,
data: RideFormData,
userId: string
) {
): Promise<{ submitted: boolean; submissionId: string }> {
// Fetch existing ride data first
const { data: existingRide, error: fetchError } = await supabase
.from('rides')