Added My Schedule tab in attendance screen
Allow 1 Day, Whole Week and Date Range swapping
This commit is contained in:
@@ -0,0 +1,117 @@
|
||||
-- Fix respond_shift_swap:
|
||||
-- 1. Guard against double-processing (idempotent — return early if already terminal)
|
||||
-- 2. SECURITY DEFINER to bypass RLS for cross-user duty_schedule ownership checks
|
||||
-- (the function still enforces caller identity via auth.uid())
|
||||
|
||||
CREATE OR REPLACE FUNCTION public.respond_shift_swap(p_swap_id uuid, p_action text)
|
||||
RETURNS void LANGUAGE plpgsql SECURITY DEFINER SET search_path = public AS $$
|
||||
DECLARE
|
||||
v_swap RECORD;
|
||||
BEGIN
|
||||
SELECT * INTO v_swap FROM public.swap_requests WHERE id = p_swap_id;
|
||||
IF NOT FOUND THEN
|
||||
RAISE EXCEPTION 'swap request not found';
|
||||
END IF;
|
||||
|
||||
IF p_action NOT IN ('accepted','rejected','admin_review') THEN
|
||||
RAISE EXCEPTION 'invalid action';
|
||||
END IF;
|
||||
|
||||
-- Idempotency guard: already in terminal state → nothing more to do.
|
||||
-- This prevents spurious "ownership changed" errors when a stale UI retries
|
||||
-- an acceptance that was already processed on another device or by an admin.
|
||||
IF v_swap.status IN ('accepted', 'rejected') THEN
|
||||
RETURN;
|
||||
END IF;
|
||||
|
||||
IF p_action = 'accepted' THEN
|
||||
-- only recipient or admin/dispatcher can accept
|
||||
IF NOT (
|
||||
v_swap.recipient_id = auth.uid()
|
||||
OR EXISTS (SELECT 1 FROM public.profiles p WHERE p.id = auth.uid() AND p.role IN ('admin','dispatcher'))
|
||||
) THEN
|
||||
RAISE EXCEPTION 'permission denied';
|
||||
END IF;
|
||||
|
||||
-- ensure both shifts are still owned by the expected users before swapping
|
||||
IF NOT EXISTS (SELECT 1 FROM public.duty_schedules WHERE id = v_swap.shift_id AND user_id = v_swap.requester_id) THEN
|
||||
RAISE EXCEPTION 'requester shift ownership changed, cannot accept swap';
|
||||
END IF;
|
||||
IF v_swap.target_shift_id IS NULL THEN
|
||||
RAISE EXCEPTION 'target shift missing';
|
||||
END IF;
|
||||
IF NOT EXISTS (SELECT 1 FROM public.duty_schedules WHERE id = v_swap.target_shift_id AND user_id = v_swap.recipient_id) THEN
|
||||
RAISE EXCEPTION 'target shift ownership changed, cannot accept swap';
|
||||
END IF;
|
||||
|
||||
-- perform the swap (atomic within function) and stamp swap_request_id
|
||||
UPDATE public.duty_schedules
|
||||
SET user_id = v_swap.recipient_id, swap_request_id = p_swap_id
|
||||
WHERE id = v_swap.shift_id;
|
||||
|
||||
UPDATE public.duty_schedules
|
||||
SET user_id = v_swap.requester_id, swap_request_id = p_swap_id
|
||||
WHERE id = v_swap.target_shift_id;
|
||||
|
||||
UPDATE public.swap_requests
|
||||
SET status = 'accepted', updated_at = now()
|
||||
WHERE id = p_swap_id;
|
||||
|
||||
INSERT INTO public.swap_request_participants(swap_request_id, user_id, role)
|
||||
VALUES (p_swap_id, auth.uid(), 'approver')
|
||||
ON CONFLICT DO NOTHING;
|
||||
|
||||
INSERT INTO public.notifications(user_id, actor_id, type, created_at)
|
||||
VALUES (v_swap.requester_id, auth.uid(), 'swap_update', now());
|
||||
|
||||
ELSIF p_action = 'rejected' THEN
|
||||
-- only recipient or admin/dispatcher can reject
|
||||
IF NOT (
|
||||
v_swap.recipient_id = auth.uid()
|
||||
OR EXISTS (SELECT 1 FROM public.profiles p WHERE p.id = auth.uid() AND p.role IN ('admin','dispatcher'))
|
||||
) THEN
|
||||
RAISE EXCEPTION 'permission denied';
|
||||
END IF;
|
||||
|
||||
UPDATE public.swap_requests
|
||||
SET status = 'rejected', updated_at = now()
|
||||
WHERE id = p_swap_id;
|
||||
|
||||
INSERT INTO public.swap_request_participants(swap_request_id, user_id, role)
|
||||
VALUES (p_swap_id, auth.uid(), 'approver')
|
||||
ON CONFLICT DO NOTHING;
|
||||
|
||||
INSERT INTO public.notifications(user_id, actor_id, type, created_at)
|
||||
VALUES (v_swap.requester_id, auth.uid(), 'swap_update', now());
|
||||
|
||||
ELSE -- admin_review
|
||||
-- only requester may escalate for admin review
|
||||
IF NOT (v_swap.requester_id = auth.uid()) THEN
|
||||
RAISE EXCEPTION 'permission denied';
|
||||
END IF;
|
||||
|
||||
UPDATE public.swap_requests
|
||||
SET status = 'admin_review', updated_at = now()
|
||||
WHERE id = p_swap_id;
|
||||
|
||||
INSERT INTO public.notifications(user_id, actor_id, type, created_at)
|
||||
VALUES (v_swap.requester_id, auth.uid(), 'swap_update', now());
|
||||
END IF;
|
||||
END;
|
||||
$$;
|
||||
|
||||
-- Re-grant EXECUTE to authenticated users.
|
||||
-- SECURITY DEFINER functions drop existing grants on replace, so this must
|
||||
-- be explicit.
|
||||
GRANT EXECUTE ON FUNCTION public.respond_shift_swap(uuid, text) TO authenticated;
|
||||
|
||||
-- Enable full replica identity so UPDATE events include all columns,
|
||||
-- and add to the realtime publication so .stream() receives changes.
|
||||
-- Without this, the Flutter client never sees status transitions (e.g.
|
||||
-- pending → accepted) via Supabase Realtime — only the initial REST fetch.
|
||||
ALTER TABLE public.swap_requests REPLICA IDENTITY FULL;
|
||||
DO $$ BEGIN
|
||||
ALTER PUBLICATION supabase_realtime ADD TABLE public.swap_requests;
|
||||
EXCEPTION WHEN duplicate_object THEN
|
||||
NULL; -- already present
|
||||
END $$;
|
||||
Reference in New Issue
Block a user