Added programmer role and fixed snackbar not showing
This commit is contained in:
@@ -0,0 +1,6 @@
|
||||
-- Add `programmer` to the `user_role` enum.
|
||||
--
|
||||
-- This is used by the application for role-based access checks. It must be
|
||||
-- committed before any other schema objects (e.g., RLS policies) reference it.
|
||||
|
||||
ALTER TYPE user_role ADD VALUE IF NOT EXISTS 'programmer';
|
||||
@@ -0,0 +1,117 @@
|
||||
-- Add `programmer` role to admin-level access checks without granting approval privileges.
|
||||
--
|
||||
-- NOTE: This role should have the same access as admins in the UI and for
|
||||
-- non-approval data access. However, it must NOT be able to approve/reject
|
||||
-- pass slips, leave applications, swap requests, etc.
|
||||
|
||||
-- NOTE: The `programmer` enum value is added in a prior migration so
|
||||
-- it can safely be used in RLS policies and other schema objects.
|
||||
|
||||
-- Teams: allow programmers to manage teams like admins.
|
||||
DROP POLICY IF EXISTS "Admins can manage teams (select)" ON public.teams;
|
||||
DROP POLICY IF EXISTS "Admins can manage teams (write)" ON public.teams;
|
||||
|
||||
CREATE POLICY "Admins can manage teams (select)" ON public.teams
|
||||
FOR SELECT
|
||||
USING (
|
||||
EXISTS (
|
||||
SELECT 1 FROM public.profiles p WHERE p.id = auth.uid() AND p.role IN ('admin', 'programmer')
|
||||
)
|
||||
);
|
||||
|
||||
CREATE POLICY "Admins can manage teams (write)" ON public.teams
|
||||
FOR ALL
|
||||
USING (
|
||||
EXISTS (
|
||||
SELECT 1 FROM public.profiles p WHERE p.id = auth.uid() AND p.role IN ('admin', 'programmer')
|
||||
)
|
||||
)
|
||||
WITH CHECK (
|
||||
EXISTS (
|
||||
SELECT 1 FROM public.profiles p WHERE p.id = auth.uid() AND p.role IN ('admin', 'programmer')
|
||||
)
|
||||
);
|
||||
|
||||
-- Team members: allow programmers to view/insert like admins.
|
||||
DROP POLICY IF EXISTS "Admins can manage team_members (select)" ON public.team_members;
|
||||
DROP POLICY IF EXISTS "Admins can manage team_members (write)" ON public.team_members;
|
||||
|
||||
CREATE POLICY "Admins can manage team_members (select)" ON public.team_members
|
||||
FOR SELECT
|
||||
USING (
|
||||
EXISTS (
|
||||
SELECT 1 FROM public.profiles p WHERE p.id = auth.uid() AND p.role IN ('admin', 'programmer')
|
||||
)
|
||||
);
|
||||
|
||||
CREATE POLICY "Admins can manage team_members (write)" ON public.team_members
|
||||
FOR ALL
|
||||
USING (
|
||||
EXISTS (
|
||||
SELECT 1 FROM public.profiles p WHERE p.id = auth.uid() AND p.role IN ('admin', 'programmer')
|
||||
)
|
||||
)
|
||||
WITH CHECK (
|
||||
EXISTS (
|
||||
SELECT 1 FROM public.profiles p WHERE p.id = auth.uid() AND p.role IN ('admin', 'programmer')
|
||||
)
|
||||
);
|
||||
|
||||
-- Pass slips: allow programmers to view all slips like admins/dispatchers.
|
||||
DROP POLICY IF EXISTS "pass_slips_select" ON pass_slips;
|
||||
CREATE POLICY "pass_slips_select" ON pass_slips FOR SELECT TO authenticated
|
||||
USING (
|
||||
user_id = auth.uid()
|
||||
OR EXISTS (
|
||||
SELECT 1 FROM profiles p WHERE p.id = auth.uid() AND p.role IN ('admin', 'dispatcher', 'programmer')
|
||||
)
|
||||
);
|
||||
|
||||
-- Leaves: allow programmers to view/file leaves like admins/dispatchers/it_staff.
|
||||
DROP POLICY IF EXISTS "Privileged users can view all leaves" ON leave_of_absence;
|
||||
CREATE POLICY "Privileged users can view all leaves"
|
||||
ON leave_of_absence FOR SELECT
|
||||
USING (
|
||||
EXISTS (
|
||||
SELECT 1 FROM profiles
|
||||
WHERE profiles.id = auth.uid()
|
||||
AND profiles.role IN ('admin', 'dispatcher', 'it_staff', 'programmer')
|
||||
)
|
||||
);
|
||||
|
||||
DROP POLICY IF EXISTS "Privileged users can file own leaves" ON leave_of_absence;
|
||||
CREATE POLICY "Privileged users can file own leaves"
|
||||
ON leave_of_absence FOR INSERT
|
||||
WITH CHECK (
|
||||
user_id = auth.uid()
|
||||
AND filed_by = auth.uid()
|
||||
AND EXISTS (
|
||||
SELECT 1 FROM profiles
|
||||
WHERE profiles.id = auth.uid()
|
||||
AND profiles.role IN ('admin', 'dispatcher', 'it_staff', 'programmer')
|
||||
)
|
||||
);
|
||||
|
||||
-- Swap request participants: allow programmers to view/insert participant rows.
|
||||
DROP POLICY IF EXISTS "Swap participants: select" ON public.swap_request_participants;
|
||||
CREATE POLICY "Swap participants: select" ON public.swap_request_participants
|
||||
FOR SELECT
|
||||
USING (
|
||||
user_id = auth.uid()
|
||||
OR EXISTS (
|
||||
SELECT 1 FROM public.profiles p WHERE p.id = auth.uid() AND p.role IN ('admin', 'dispatcher', 'programmer')
|
||||
)
|
||||
OR EXISTS (
|
||||
SELECT 1 FROM public.swap_requests s WHERE s.id = swap_request_id AND (s.requester_id = auth.uid() OR s.recipient_id = auth.uid())
|
||||
)
|
||||
);
|
||||
|
||||
DROP POLICY IF EXISTS "Swap participants: insert" ON public.swap_request_participants;
|
||||
CREATE POLICY "Swap participants: insert" ON public.swap_request_participants
|
||||
FOR INSERT
|
||||
WITH CHECK (
|
||||
user_id = auth.uid()
|
||||
OR EXISTS (
|
||||
SELECT 1 FROM public.profiles p WHERE p.id = auth.uid() AND p.role IN ('admin', 'dispatcher', 'programmer')
|
||||
)
|
||||
);
|
||||
@@ -0,0 +1,31 @@
|
||||
-- Ensure office management works for the new `programmer` role.
|
||||
--
|
||||
-- If RLS is enabled for offices, insert/update/delete operations can fail unless
|
||||
-- there is an explicit policy allowing those roles.
|
||||
|
||||
ALTER TABLE IF EXISTS offices ENABLE ROW LEVEL SECURITY;
|
||||
|
||||
-- Allow any authenticated user to read offices (used for dropdowns/filters).
|
||||
DROP POLICY IF EXISTS "Offices: select auth" ON offices;
|
||||
CREATE POLICY "Offices: select auth" ON offices
|
||||
FOR SELECT
|
||||
USING (auth.role() IS NOT NULL);
|
||||
|
||||
-- Allow admin/dispatcher/programmer to insert/update/delete offices.
|
||||
DROP POLICY IF EXISTS "Offices: manage" ON offices;
|
||||
CREATE POLICY "Offices: manage" ON offices
|
||||
FOR ALL
|
||||
USING (
|
||||
EXISTS (
|
||||
SELECT 1 FROM profiles p
|
||||
WHERE p.id = auth.uid()
|
||||
AND p.role IN ('admin', 'dispatcher', 'programmer')
|
||||
)
|
||||
)
|
||||
WITH CHECK (
|
||||
EXISTS (
|
||||
SELECT 1 FROM profiles p
|
||||
WHERE p.id = auth.uid()
|
||||
AND p.role IN ('admin', 'dispatcher', 'programmer')
|
||||
)
|
||||
);
|
||||
Reference in New Issue
Block a user