Added programmer role and fixed snackbar not showing

This commit is contained in:
2026-03-16 07:23:20 +08:00
parent 9f7791e56f
commit 81853c4367
23 changed files with 362 additions and 65 deletions
@@ -0,0 +1,6 @@
-- Add `programmer` to the `user_role` enum.
--
-- This is used by the application for role-based access checks. It must be
-- committed before any other schema objects (e.g., RLS policies) reference it.
ALTER TYPE user_role ADD VALUE IF NOT EXISTS 'programmer';
@@ -0,0 +1,117 @@
-- Add `programmer` role to admin-level access checks without granting approval privileges.
--
-- NOTE: This role should have the same access as admins in the UI and for
-- non-approval data access. However, it must NOT be able to approve/reject
-- pass slips, leave applications, swap requests, etc.
-- NOTE: The `programmer` enum value is added in a prior migration so
-- it can safely be used in RLS policies and other schema objects.
-- Teams: allow programmers to manage teams like admins.
DROP POLICY IF EXISTS "Admins can manage teams (select)" ON public.teams;
DROP POLICY IF EXISTS "Admins can manage teams (write)" ON public.teams;
CREATE POLICY "Admins can manage teams (select)" ON public.teams
FOR SELECT
USING (
EXISTS (
SELECT 1 FROM public.profiles p WHERE p.id = auth.uid() AND p.role IN ('admin', 'programmer')
)
);
CREATE POLICY "Admins can manage teams (write)" ON public.teams
FOR ALL
USING (
EXISTS (
SELECT 1 FROM public.profiles p WHERE p.id = auth.uid() AND p.role IN ('admin', 'programmer')
)
)
WITH CHECK (
EXISTS (
SELECT 1 FROM public.profiles p WHERE p.id = auth.uid() AND p.role IN ('admin', 'programmer')
)
);
-- Team members: allow programmers to view/insert like admins.
DROP POLICY IF EXISTS "Admins can manage team_members (select)" ON public.team_members;
DROP POLICY IF EXISTS "Admins can manage team_members (write)" ON public.team_members;
CREATE POLICY "Admins can manage team_members (select)" ON public.team_members
FOR SELECT
USING (
EXISTS (
SELECT 1 FROM public.profiles p WHERE p.id = auth.uid() AND p.role IN ('admin', 'programmer')
)
);
CREATE POLICY "Admins can manage team_members (write)" ON public.team_members
FOR ALL
USING (
EXISTS (
SELECT 1 FROM public.profiles p WHERE p.id = auth.uid() AND p.role IN ('admin', 'programmer')
)
)
WITH CHECK (
EXISTS (
SELECT 1 FROM public.profiles p WHERE p.id = auth.uid() AND p.role IN ('admin', 'programmer')
)
);
-- Pass slips: allow programmers to view all slips like admins/dispatchers.
DROP POLICY IF EXISTS "pass_slips_select" ON pass_slips;
CREATE POLICY "pass_slips_select" ON pass_slips FOR SELECT TO authenticated
USING (
user_id = auth.uid()
OR EXISTS (
SELECT 1 FROM profiles p WHERE p.id = auth.uid() AND p.role IN ('admin', 'dispatcher', 'programmer')
)
);
-- Leaves: allow programmers to view/file leaves like admins/dispatchers/it_staff.
DROP POLICY IF EXISTS "Privileged users can view all leaves" ON leave_of_absence;
CREATE POLICY "Privileged users can view all leaves"
ON leave_of_absence FOR SELECT
USING (
EXISTS (
SELECT 1 FROM profiles
WHERE profiles.id = auth.uid()
AND profiles.role IN ('admin', 'dispatcher', 'it_staff', 'programmer')
)
);
DROP POLICY IF EXISTS "Privileged users can file own leaves" ON leave_of_absence;
CREATE POLICY "Privileged users can file own leaves"
ON leave_of_absence FOR INSERT
WITH CHECK (
user_id = auth.uid()
AND filed_by = auth.uid()
AND EXISTS (
SELECT 1 FROM profiles
WHERE profiles.id = auth.uid()
AND profiles.role IN ('admin', 'dispatcher', 'it_staff', 'programmer')
)
);
-- Swap request participants: allow programmers to view/insert participant rows.
DROP POLICY IF EXISTS "Swap participants: select" ON public.swap_request_participants;
CREATE POLICY "Swap participants: select" ON public.swap_request_participants
FOR SELECT
USING (
user_id = auth.uid()
OR EXISTS (
SELECT 1 FROM public.profiles p WHERE p.id = auth.uid() AND p.role IN ('admin', 'dispatcher', 'programmer')
)
OR EXISTS (
SELECT 1 FROM public.swap_requests s WHERE s.id = swap_request_id AND (s.requester_id = auth.uid() OR s.recipient_id = auth.uid())
)
);
DROP POLICY IF EXISTS "Swap participants: insert" ON public.swap_request_participants;
CREATE POLICY "Swap participants: insert" ON public.swap_request_participants
FOR INSERT
WITH CHECK (
user_id = auth.uid()
OR EXISTS (
SELECT 1 FROM public.profiles p WHERE p.id = auth.uid() AND p.role IN ('admin', 'dispatcher', 'programmer')
)
);
@@ -0,0 +1,31 @@
-- Ensure office management works for the new `programmer` role.
--
-- If RLS is enabled for offices, insert/update/delete operations can fail unless
-- there is an explicit policy allowing those roles.
ALTER TABLE IF EXISTS offices ENABLE ROW LEVEL SECURITY;
-- Allow any authenticated user to read offices (used for dropdowns/filters).
DROP POLICY IF EXISTS "Offices: select auth" ON offices;
CREATE POLICY "Offices: select auth" ON offices
FOR SELECT
USING (auth.role() IS NOT NULL);
-- Allow admin/dispatcher/programmer to insert/update/delete offices.
DROP POLICY IF EXISTS "Offices: manage" ON offices;
CREATE POLICY "Offices: manage" ON offices
FOR ALL
USING (
EXISTS (
SELECT 1 FROM profiles p
WHERE p.id = auth.uid()
AND p.role IN ('admin', 'dispatcher', 'programmer')
)
)
WITH CHECK (
EXISTS (
SELECT 1 FROM profiles p
WHERE p.id = auth.uid()
AND p.role IN ('admin', 'dispatcher', 'programmer')
)
);