mirror of
https://github.com/renee-png/acmcc.git
synced 2026-06-21 09:50:01 +00:00
193 lines
7.4 KiB
SQL
193 lines
7.4 KiB
SQL
|
|
-- Fix all association-scoped policies to include staff bypass
|
|
|
|
-- billable_expenses
|
|
DROP POLICY IF EXISTS "Users can view own association billable expenses" ON public.billable_expenses;
|
|
CREATE POLICY "Users can view own association billable expenses"
|
|
ON public.billable_expenses FOR SELECT TO authenticated
|
|
USING (
|
|
has_role(auth.uid(), 'admin'::app_role)
|
|
OR has_role(auth.uid(), 'manager'::app_role)
|
|
OR association_id IN (SELECT get_user_association_ids())
|
|
);
|
|
|
|
-- annual_meetings
|
|
DROP POLICY IF EXISTS "Users can view own association annual meetings" ON public.annual_meetings;
|
|
CREATE POLICY "Users can view own association annual meetings"
|
|
ON public.annual_meetings FOR SELECT TO authenticated
|
|
USING (
|
|
has_role(auth.uid(), 'admin'::app_role)
|
|
OR has_role(auth.uid(), 'manager'::app_role)
|
|
OR association_id IN (SELECT get_user_association_ids())
|
|
);
|
|
|
|
-- journal_entries
|
|
DROP POLICY IF EXISTS "Users can view own association journal entries" ON public.journal_entries;
|
|
CREATE POLICY "Users can view own association journal entries"
|
|
ON public.journal_entries FOR SELECT TO authenticated
|
|
USING (
|
|
has_role(auth.uid(), 'admin'::app_role)
|
|
OR has_role(auth.uid(), 'manager'::app_role)
|
|
OR association_id IN (SELECT get_user_association_ids())
|
|
);
|
|
|
|
-- parking_records
|
|
DROP POLICY IF EXISTS "Users can view own association parking records" ON public.parking_records;
|
|
CREATE POLICY "Users can view own association parking records"
|
|
ON public.parking_records FOR SELECT TO authenticated
|
|
USING (
|
|
has_role(auth.uid(), 'admin'::app_role)
|
|
OR has_role(auth.uid(), 'manager'::app_role)
|
|
OR association_id IN (SELECT get_user_association_ids())
|
|
);
|
|
|
|
-- projects
|
|
DROP POLICY IF EXISTS "Users can view own association projects" ON public.projects;
|
|
CREATE POLICY "Users can view own association projects"
|
|
ON public.projects FOR SELECT TO authenticated
|
|
USING (
|
|
has_role(auth.uid(), 'admin'::app_role)
|
|
OR has_role(auth.uid(), 'manager'::app_role)
|
|
OR association_id IN (SELECT get_user_association_ids())
|
|
);
|
|
|
|
-- unit_timeline_events
|
|
DROP POLICY IF EXISTS "Users can view own association timeline events" ON public.unit_timeline_events;
|
|
CREATE POLICY "Users can view own association timeline events"
|
|
ON public.unit_timeline_events FOR SELECT TO authenticated
|
|
USING (
|
|
has_role(auth.uid(), 'admin'::app_role)
|
|
OR has_role(auth.uid(), 'manager'::app_role)
|
|
OR association_id IN (SELECT get_user_association_ids())
|
|
);
|
|
|
|
-- document_validation_proofs
|
|
DROP POLICY IF EXISTS "Users can view own association proofs" ON public.document_validation_proofs;
|
|
CREATE POLICY "Users can view own association proofs"
|
|
ON public.document_validation_proofs FOR SELECT TO authenticated
|
|
USING (
|
|
has_role(auth.uid(), 'admin'::app_role)
|
|
OR has_role(auth.uid(), 'manager'::app_role)
|
|
OR association_id IN (SELECT get_user_association_ids())
|
|
);
|
|
|
|
-- board_resources
|
|
DROP POLICY IF EXISTS "Users can view own association board resources" ON public.board_resources;
|
|
CREATE POLICY "Users can view own association board resources"
|
|
ON public.board_resources FOR SELECT TO authenticated
|
|
USING (
|
|
is_active = true AND (
|
|
has_role(auth.uid(), 'admin'::app_role)
|
|
OR has_role(auth.uid(), 'manager'::app_role)
|
|
OR association_id IN (SELECT get_user_association_ids())
|
|
)
|
|
);
|
|
|
|
-- arc_application_comments (join-based)
|
|
DROP POLICY IF EXISTS "Users can view own association arc comments" ON public.arc_application_comments;
|
|
CREATE POLICY "Users can view own association arc comments"
|
|
ON public.arc_application_comments FOR SELECT TO authenticated
|
|
USING (
|
|
has_role(auth.uid(), 'admin'::app_role)
|
|
OR has_role(auth.uid(), 'manager'::app_role)
|
|
OR EXISTS (
|
|
SELECT 1 FROM public.arc_applications a
|
|
WHERE a.id = arc_application_comments.application_id
|
|
AND a.association_id IN (SELECT get_user_association_ids())
|
|
)
|
|
);
|
|
|
|
-- arc_application_votes (join-based)
|
|
DROP POLICY IF EXISTS "Users can view own association arc votes" ON public.arc_application_votes;
|
|
CREATE POLICY "Users can view own association arc votes"
|
|
ON public.arc_application_votes FOR SELECT TO authenticated
|
|
USING (
|
|
has_role(auth.uid(), 'admin'::app_role)
|
|
OR has_role(auth.uid(), 'manager'::app_role)
|
|
OR EXISTS (
|
|
SELECT 1 FROM public.arc_applications a
|
|
WHERE a.id = arc_application_votes.application_id
|
|
AND a.association_id IN (SELECT get_user_association_ids())
|
|
)
|
|
);
|
|
|
|
-- bill_comments (join-based)
|
|
DROP POLICY IF EXISTS "Users can view own association bill comments" ON public.bill_comments;
|
|
CREATE POLICY "Users can view own association bill comments"
|
|
ON public.bill_comments FOR SELECT TO authenticated
|
|
USING (
|
|
has_role(auth.uid(), 'admin'::app_role)
|
|
OR has_role(auth.uid(), 'manager'::app_role)
|
|
OR EXISTS (
|
|
SELECT 1 FROM public.bills b
|
|
WHERE b.id = bill_comments.bill_id
|
|
AND b.association_id IN (SELECT get_user_association_ids())
|
|
)
|
|
);
|
|
|
|
-- board_vote_responses (join-based)
|
|
DROP POLICY IF EXISTS "Users can view own association vote responses" ON public.board_vote_responses;
|
|
CREATE POLICY "Users can view own association vote responses"
|
|
ON public.board_vote_responses FOR SELECT TO authenticated
|
|
USING (
|
|
has_role(auth.uid(), 'admin'::app_role)
|
|
OR has_role(auth.uid(), 'manager'::app_role)
|
|
OR EXISTS (
|
|
SELECT 1 FROM public.board_votes bv
|
|
WHERE bv.id = board_vote_responses.board_vote_id
|
|
AND bv.association_id IN (SELECT get_user_association_ids())
|
|
)
|
|
);
|
|
|
|
-- project_comments (join-based)
|
|
DROP POLICY IF EXISTS "Users can view own association project comments" ON public.project_comments;
|
|
CREATE POLICY "Users can view own association project comments"
|
|
ON public.project_comments FOR SELECT TO authenticated
|
|
USING (
|
|
has_role(auth.uid(), 'admin'::app_role)
|
|
OR has_role(auth.uid(), 'manager'::app_role)
|
|
OR EXISTS (
|
|
SELECT 1 FROM public.projects p
|
|
WHERE p.id = project_comments.project_id
|
|
AND p.association_id IN (SELECT get_user_association_ids())
|
|
)
|
|
);
|
|
|
|
-- project_files (join-based)
|
|
DROP POLICY IF EXISTS "Users can view own association project files" ON public.project_files;
|
|
CREATE POLICY "Users can view own association project files"
|
|
ON public.project_files FOR SELECT TO authenticated
|
|
USING (
|
|
has_role(auth.uid(), 'admin'::app_role)
|
|
OR has_role(auth.uid(), 'manager'::app_role)
|
|
OR EXISTS (
|
|
SELECT 1 FROM public.projects p
|
|
WHERE p.id = project_files.project_id
|
|
AND p.association_id IN (SELECT get_user_association_ids())
|
|
)
|
|
);
|
|
|
|
-- bank_accounts - also needs staff bypass (was overly restricted)
|
|
DROP POLICY IF EXISTS "Staff full access on own association bank_accounts" ON public.bank_accounts;
|
|
CREATE POLICY "Staff full access on bank_accounts"
|
|
ON public.bank_accounts FOR ALL TO authenticated
|
|
USING (
|
|
has_role(auth.uid(), 'admin'::app_role)
|
|
OR has_role(auth.uid(), 'manager'::app_role)
|
|
)
|
|
WITH CHECK (
|
|
has_role(auth.uid(), 'admin'::app_role)
|
|
OR has_role(auth.uid(), 'manager'::app_role)
|
|
);
|
|
|
|
-- chart_of_accounts - was already USING(true), check if it needs fixing
|
|
DROP POLICY IF EXISTS "Authenticated users can view chart_of_accounts" ON public.chart_of_accounts;
|
|
CREATE POLICY "Users can view chart of accounts"
|
|
ON public.chart_of_accounts FOR SELECT TO authenticated
|
|
USING (
|
|
has_role(auth.uid(), 'admin'::app_role)
|
|
OR has_role(auth.uid(), 'manager'::app_role)
|
|
OR association_id IN (SELECT get_user_association_ids())
|
|
OR association_id IS NULL
|
|
);
|