32 lines
1.2 KiB
SQL
32 lines
1.2 KiB
SQL
-- Allow authenticated admin/dispatcher/it_staff profiles to write app_versions
|
|
-- while preserving service_role write access. This makes the web admin
|
|
-- uploader work for privileged users without exposing writes to all auth users.
|
|
|
|
-- Drop the restrictive service-only policy (if present)
|
|
DROP POLICY IF EXISTS "app_versions_service_write" ON public.app_versions;
|
|
|
|
-- Create a combined policy allowing either the service_role or a profile with
|
|
-- an elevated role to perform inserts/updates/deletes.
|
|
CREATE POLICY "app_versions_service_or_admin_write" ON public.app_versions
|
|
FOR ALL
|
|
USING (
|
|
auth.role() = 'service_role'
|
|
OR EXISTS (
|
|
SELECT 1 FROM public.profiles p
|
|
WHERE p.id = auth.uid() AND p.role IN ('admin', 'dispatcher', 'it_staff')
|
|
)
|
|
)
|
|
WITH CHECK (
|
|
auth.role() = 'service_role'
|
|
OR EXISTS (
|
|
SELECT 1 FROM public.profiles p
|
|
WHERE p.id = auth.uid() AND p.role IN ('admin', 'dispatcher', 'it_staff')
|
|
)
|
|
);
|
|
|
|
-- Notes:
|
|
-- - Run this migration using the service_role key (or apply via the Supabase
|
|
-- SQL editor) so the new policy is created successfully.
|
|
-- - If your project stores roles in a different table or column, adjust the
|
|
-- `SELECT` accordingly.
|