mirror of
https://github.com/pacnpal/thrilltrack-explorer.git
synced 2025-12-20 10:11:13 -05:00
52 lines
1.5 KiB
PL/PgSQL
52 lines
1.5 KiB
PL/PgSQL
-- Create SECURITY DEFINER function to safely check MFA enrollment
|
|
CREATE OR REPLACE FUNCTION public.has_mfa_enabled(_user_id uuid)
|
|
RETURNS boolean
|
|
LANGUAGE sql
|
|
STABLE
|
|
SECURITY DEFINER
|
|
SET search_path = auth, public
|
|
AS $$
|
|
SELECT EXISTS (
|
|
SELECT 1
|
|
FROM auth.mfa_factors
|
|
WHERE user_id = _user_id
|
|
AND status = 'verified'
|
|
);
|
|
$$;
|
|
|
|
GRANT EXECUTE ON FUNCTION public.has_mfa_enabled(uuid) TO authenticated;
|
|
|
|
-- Drop all existing policies on user_roles
|
|
DROP POLICY IF EXISTS "Users can view their own roles" ON public.user_roles;
|
|
DROP POLICY IF EXISTS "Moderators can manage roles" ON public.user_roles;
|
|
DROP POLICY IF EXISTS "Admins can assign moderator roles" ON public.user_roles;
|
|
DROP POLICY IF EXISTS "Users can delete their own user role" ON public.user_roles;
|
|
DROP POLICY IF EXISTS "Users can insert their own roles" ON public.user_roles;
|
|
|
|
-- Recreate policies using has_mfa_enabled() function
|
|
CREATE POLICY "Users can view their own roles"
|
|
ON public.user_roles
|
|
FOR SELECT
|
|
TO authenticated
|
|
USING (auth.uid() = user_id);
|
|
|
|
CREATE POLICY "Moderators can manage roles"
|
|
ON public.user_roles
|
|
FOR ALL
|
|
TO authenticated
|
|
USING (
|
|
is_moderator(auth.uid()) AND
|
|
(NOT has_mfa_enabled(auth.uid()) OR has_aal2())
|
|
)
|
|
WITH CHECK (
|
|
is_moderator(auth.uid()) AND
|
|
(NOT has_mfa_enabled(auth.uid()) OR has_aal2())
|
|
);
|
|
|
|
CREATE POLICY "Users can delete their own user role"
|
|
ON public.user_roles
|
|
FOR DELETE
|
|
TO authenticated
|
|
USING (auth.uid() = user_id AND role = 'user');
|
|
|
|
GRANT SELECT ON public.user_roles TO authenticated; |