83 lines
4.6 KiB
SQL
83 lines
4.6 KiB
SQL
-- Migración 009: Políticas RLS de producción
|
|
--
|
|
-- ⚠️ PREREQUISITO OBLIGATORIO antes de ejecutar:
|
|
-- Insertar perfil admin para TU usuario actual. Si no lo haces,
|
|
-- quedarás bloqueado y no podrás acceder a los datos.
|
|
--
|
|
-- Ejecuta PRIMERO (reemplaza el email):
|
|
-- INSERT INTO public.user_profiles (id, email, role)
|
|
-- SELECT id, email, 'admin' FROM auth.users
|
|
-- WHERE email = 'tu-email@ejemplo.com'
|
|
-- ON CONFLICT (id) DO NOTHING;
|
|
--
|
|
-- Verifica que tienes acceso ANTES de continuar.
|
|
|
|
-- ────────────────────────────────────────────────────────────
|
|
-- TABLA: reservations
|
|
-- ────────────────────────────────────────────────────────────
|
|
|
|
-- Eliminar políticas dev-mode abiertas
|
|
DROP POLICY IF EXISTS "Enable read access for all users" ON public.reservations;
|
|
DROP POLICY IF EXISTS "Enable insert for all users" ON public.reservations;
|
|
DROP POLICY IF EXISTS "Enable update for all users" ON public.reservations;
|
|
DROP POLICY IF EXISTS "Enable delete for all users" ON public.reservations;
|
|
|
|
-- Admin e internal_staff: acceso completo a la tabla
|
|
CREATE POLICY "Staff: full read"
|
|
ON public.reservations FOR SELECT TO authenticated
|
|
USING (public.get_user_role() IN ('admin', 'internal_staff'));
|
|
|
|
CREATE POLICY "Staff: insert"
|
|
ON public.reservations FOR INSERT TO authenticated
|
|
WITH CHECK (public.get_user_role() IN ('admin', 'internal_staff'));
|
|
|
|
CREATE POLICY "Staff: update"
|
|
ON public.reservations FOR UPDATE TO authenticated
|
|
USING (public.get_user_role() IN ('admin', 'internal_staff'))
|
|
WITH CHECK (public.get_user_role() IN ('admin', 'internal_staff'));
|
|
|
|
CREATE POLICY "Staff: delete"
|
|
ON public.reservations FOR DELETE TO authenticated
|
|
USING (public.get_user_role() IN ('admin', 'internal_staff'));
|
|
|
|
-- external_availability_viewer: SIN acceso directo a la tabla reservations.
|
|
-- Solo accede a la vista reservations_availability (migración 008).
|
|
|
|
-- ────────────────────────────────────────────────────────────
|
|
-- TABLA: reservation_contracts
|
|
-- ────────────────────────────────────────────────────────────
|
|
|
|
DROP POLICY IF EXISTS "Temp: authenticated can manage contracts" ON public.reservation_contracts;
|
|
|
|
CREATE POLICY "Staff: manage contracts"
|
|
ON public.reservation_contracts FOR ALL TO authenticated
|
|
USING (public.get_user_role() IN ('admin', 'internal_staff'))
|
|
WITH CHECK (public.get_user_role() IN ('admin', 'internal_staff'));
|
|
|
|
-- ────────────────────────────────────────────────────────────
|
|
-- TABLA: notification_events
|
|
-- ────────────────────────────────────────────────────────────
|
|
|
|
DROP POLICY IF EXISTS "Temp: authenticated can read notifications" ON public.notification_events;
|
|
|
|
CREATE POLICY "Admin: read notifications"
|
|
ON public.notification_events FOR SELECT TO authenticated
|
|
USING (public.get_user_role() = 'admin');
|
|
|
|
-- El API usa service_role para INSERT/UPDATE en notification_events (bypasea RLS).
|
|
|
|
-- ────────────────────────────────────────────────────────────
|
|
-- TABLA: user_profiles
|
|
-- ────────────────────────────────────────────────────────────
|
|
|
|
-- La policy existente "Users can read own profile" se mantiene.
|
|
-- El API usa service_role para gestionar perfiles.
|
|
|
|
-- ────────────────────────────────────────────────────────────
|
|
-- REVOCAR acceso anónimo a todas las tablas
|
|
-- ────────────────────────────────────────────────────────────
|
|
REVOKE ALL ON public.reservations FROM anon;
|
|
REVOKE ALL ON public.reservation_contracts FROM anon;
|
|
REVOKE ALL ON public.notification_events FROM anon;
|
|
REVOKE ALL ON public.user_profiles FROM anon;
|