pacnpal/thrilltrack-explorer
1
0
Fork 0
mirror of https://github.com/pacnpal/thrilltrack-explorer.git synced 2025-12-20 07:11:12 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
ba11773eb6f5a5b282880eae599380aa61b130cf
thrilltrack-explorer/supabase/migrations/20251017192734_2ac34e6e-1d0d-4c2b-90a2-800f747d2640.sql
gpt-engineer-app[bot] ba11773eb6 Refactor: Approve RLS migration
2025-10-17 19:27:49 +00:00

76 lines
2.2 KiB
SQL
Raw Blame History

-- Add AAL2 enforcement for users with MFA enrolled
-- This provides defense-in-depth at the database level
-- Update RLS policy on content_submissions to enforce AAL2 for moderators
DROP POLICY IF EXISTS "Moderators can view all submissions" ON public.content_submissions;
CREATE POLICY "Moderators can view all submissions"
ON public.content_submissions
FOR SELECT
TO authenticated
USING (
is_moderator(auth.uid()) AND (
-- Allow if user doesn't have MFA OR has AAL2
NOT EXISTS (
SELECT 1 FROM auth.mfa_factors
WHERE user_id = auth.uid() AND status = 'verified'
) OR has_aal2()
)
);
DROP POLICY IF EXISTS "Moderators can update submissions" ON public.content_submissions;
CREATE POLICY "Moderators can update submissions"
ON public.content_submissions
FOR UPDATE
TO authenticated
USING (
is_moderator(auth.uid()) AND (
NOT EXISTS (
SELECT 1 FROM auth.mfa_factors
WHERE user_id = auth.uid() AND status = 'verified'
) OR has_aal2()
)
);
-- Apply same enforcement to submission_items
DROP POLICY IF EXISTS "Moderators can update submission items" ON public.submission_items;
CREATE POLICY "Moderators can update submission items"
ON public.submission_items
FOR UPDATE
TO authenticated
USING (
is_moderator(auth.uid()) AND (
NOT EXISTS (
SELECT 1 FROM auth.mfa_factors
WHERE user_id = auth.uid() AND status = 'verified'
) OR has_aal2()
)
);
DROP POLICY IF EXISTS "Moderators can delete submission items" ON public.submission_items;
CREATE POLICY "Moderators can delete submission items"
ON public.submission_items
FOR DELETE
TO authenticated
USING (
is_moderator(auth.uid()) AND (
NOT EXISTS (
SELECT 1 FROM auth.mfa_factors
WHERE user_id = auth.uid() AND status = 'verified'
) OR has_aal2()
)
);
-- Apply same enforcement to user_roles table for role management
DROP POLICY IF EXISTS "Moderators can manage roles" ON public.user_roles;
CREATE POLICY "Moderators can manage roles"
ON public.user_roles
FOR ALL
TO authenticated
USING (
is_moderator(auth.uid()) AND (
NOT EXISTS (
SELECT 1 FROM auth.mfa_factors
WHERE user_id = auth.uid() AND status = 'verified'
) OR has_aal2()
)
);
Reference in New Issue View Git Blame Copy Permalink