chore: remove unused profile lock migration and admin_profile_service
This commit is contained in:
@@ -0,0 +1,2 @@
|
||||
alter table public.duty_schedules
|
||||
add column if not exists reliever_ids uuid[] default '{}'::uuid[];
|
||||
@@ -0,0 +1,42 @@
|
||||
-- Enforce that team leaders and team members must be profiles with role = 'it_staff'
|
||||
|
||||
-- Function: validate_team_leader_is_it_staff
|
||||
create or replace function public.validate_team_leader_is_it_staff()
|
||||
returns trigger language plpgsql as $$
|
||||
begin
|
||||
if new.leader_id is not null then
|
||||
perform 1 from public.profiles where id = new.leader_id and role = 'it_staff';
|
||||
if not found then
|
||||
raise exception 'team leader must have role "it_staff"';
|
||||
end if;
|
||||
end if;
|
||||
return new;
|
||||
end;
|
||||
$$;
|
||||
|
||||
-- Trigger on teams
|
||||
drop trigger if exists trig_validate_team_leader on public.teams;
|
||||
create trigger trig_validate_team_leader
|
||||
before insert or update on public.teams
|
||||
for each row execute function public.validate_team_leader_is_it_staff();
|
||||
|
||||
|
||||
-- Function: validate_team_member_is_it_staff
|
||||
create or replace function public.validate_team_member_is_it_staff()
|
||||
returns trigger language plpgsql as $$
|
||||
begin
|
||||
if new.user_id is not null then
|
||||
perform 1 from public.profiles where id = new.user_id and role = 'it_staff';
|
||||
if not found then
|
||||
raise exception 'team member must have role "it_staff"';
|
||||
end if;
|
||||
end if;
|
||||
return new;
|
||||
end;
|
||||
$$;
|
||||
|
||||
-- Trigger on team_members
|
||||
drop trigger if exists trig_validate_team_member on public.team_members;
|
||||
create trigger trig_validate_team_member
|
||||
before insert or update on public.team_members
|
||||
for each row execute function public.validate_team_member_is_it_staff();
|
||||
@@ -0,0 +1,49 @@
|
||||
-- Row-level security for teams and team_members
|
||||
|
||||
-- Enable RLS on teams and team_members
|
||||
ALTER TABLE public.teams ENABLE ROW LEVEL SECURITY;
|
||||
ALTER TABLE public.team_members ENABLE ROW LEVEL SECURITY;
|
||||
|
||||
-- Allow only profiles with role = 'admin' to select/manage teams
|
||||
CREATE POLICY "Admins can manage teams (select)" ON public.teams
|
||||
FOR SELECT
|
||||
USING (
|
||||
EXISTS (
|
||||
SELECT 1 FROM public.profiles p WHERE p.id = auth.uid() AND p.role = 'admin'
|
||||
)
|
||||
);
|
||||
|
||||
CREATE POLICY "Admins can manage teams (write)" ON public.teams
|
||||
FOR ALL
|
||||
USING (
|
||||
EXISTS (
|
||||
SELECT 1 FROM public.profiles p WHERE p.id = auth.uid() AND p.role = 'admin'
|
||||
)
|
||||
)
|
||||
WITH CHECK (
|
||||
EXISTS (
|
||||
SELECT 1 FROM public.profiles p WHERE p.id = auth.uid() AND p.role = 'admin'
|
||||
)
|
||||
);
|
||||
|
||||
-- Policies for team_members (admin-only management)
|
||||
CREATE POLICY "Admins can manage team_members (select)" ON public.team_members
|
||||
FOR SELECT
|
||||
USING (
|
||||
EXISTS (
|
||||
SELECT 1 FROM public.profiles p WHERE p.id = auth.uid() AND p.role = 'admin'
|
||||
)
|
||||
);
|
||||
|
||||
CREATE POLICY "Admins can manage team_members (write)" ON public.team_members
|
||||
FOR ALL
|
||||
USING (
|
||||
EXISTS (
|
||||
SELECT 1 FROM public.profiles p WHERE p.id = auth.uid() AND p.role = 'admin'
|
||||
)
|
||||
)
|
||||
WITH CHECK (
|
||||
EXISTS (
|
||||
SELECT 1 FROM public.profiles p WHERE p.id = auth.uid() AND p.role = 'admin'
|
||||
)
|
||||
);
|
||||
Reference in New Issue
Block a user