Files
avbeat-com/supabase/migrations/20260322190000_role_permissions.sql
2026-05-07 16:39:17 +00:00

83 lines
3.5 KiB
SQL

-- ============================================================
-- Migration: role_permissions + role activity log extensions
-- Timestamp: 20260322190000
-- ============================================================
-- 1. role_permissions table: stores per-role permission flags
CREATE TABLE IF NOT EXISTS public.role_permissions (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
role TEXT NOT NULL UNIQUE,
can_publish_articles BOOLEAN NOT NULL DEFAULT false,
can_edit_articles BOOLEAN NOT NULL DEFAULT false,
can_delete_articles BOOLEAN NOT NULL DEFAULT false,
can_manage_comments BOOLEAN NOT NULL DEFAULT false,
can_moderate_forum BOOLEAN NOT NULL DEFAULT false,
can_pin_threads BOOLEAN NOT NULL DEFAULT false,
can_lock_threads BOOLEAN NOT NULL DEFAULT false,
can_flag_content BOOLEAN NOT NULL DEFAULT false,
can_view_analytics BOOLEAN NOT NULL DEFAULT false,
can_manage_newsletter BOOLEAN NOT NULL DEFAULT false,
can_invite_users BOOLEAN NOT NULL DEFAULT false,
can_manage_users BOOLEAN NOT NULL DEFAULT false,
updated_at TIMESTAMPTZ DEFAULT CURRENT_TIMESTAMP,
created_at TIMESTAMPTZ DEFAULT CURRENT_TIMESTAMP
);
CREATE INDEX IF NOT EXISTS idx_role_permissions_role ON public.role_permissions(role);
-- 2. Enable RLS
ALTER TABLE public.role_permissions ENABLE ROW LEVEL SECURITY;
-- 3. RLS Policies
DROP POLICY IF EXISTS "admin_manage_role_permissions" ON public.role_permissions;
CREATE POLICY "admin_manage_role_permissions"
ON public.role_permissions
FOR ALL
TO authenticated
USING (public.is_admin_user())
WITH CHECK (public.is_admin_user());
DROP POLICY IF EXISTS "authenticated_read_role_permissions" ON public.role_permissions;
CREATE POLICY "authenticated_read_role_permissions"
ON public.role_permissions
FOR SELECT
TO authenticated
USING (true);
-- 4. Trigger for updated_at
DROP TRIGGER IF EXISTS update_role_permissions_updated_at ON public.role_permissions;
CREATE TRIGGER update_role_permissions_updated_at
BEFORE UPDATE ON public.role_permissions
FOR EACH ROW EXECUTE FUNCTION public.update_updated_at();
-- 5. Extend audit_action_type enum with role-related actions
-- We add new values to the existing enum safely
DO $$
BEGIN
IF NOT EXISTS (
SELECT 1 FROM pg_enum
WHERE enumlabel = 'role_permission_updated'
AND enumtypid = (SELECT oid FROM pg_type WHERE typname = 'audit_action_type')
) THEN
ALTER TYPE public.audit_action_type ADD VALUE 'role_permission_updated';
END IF;
IF NOT EXISTS (
SELECT 1 FROM pg_enum
WHERE enumlabel = 'role_assigned'
AND enumtypid = (SELECT oid FROM pg_type WHERE typname = 'audit_action_type')
) THEN
ALTER TYPE public.audit_action_type ADD VALUE 'role_assigned';
END IF;
END $$;
-- 6. Seed default role permissions
INSERT INTO public.role_permissions (role, can_publish_articles, can_edit_articles, can_delete_articles, can_manage_comments, can_moderate_forum, can_pin_threads, can_lock_threads, can_flag_content, can_view_analytics, can_manage_newsletter, can_invite_users, can_manage_users)
VALUES
('admin', true, true, true, true, true, true, true, true, true, true, true, true),
('editor', true, true, false, true, false, false, false, true, true, false, false, false),
('moderator', false, false, false, true, true, true, true, true, false, false, false, false),
('contributor', false, true, false, false, false, false, false, false, false, false, false, false),
('reader', false, false, false, false, false, false, false, false, false, false, false, false)
ON CONFLICT (role) DO NOTHING;