491 lines
16 KiB
PL/PgSQL
491 lines
16 KiB
PL/PgSQL
--[ Database Schema Version ]--
|
|
-- Version: 1.0.0
|
|
-- Last Updated: 2024-02-24
|
|
-- Description: Initial schema setup for ClassConcepts
|
|
-- Dependencies: auth.users (Supabase Auth)
|
|
|
|
--[ Validation ]--
|
|
do $$
|
|
begin
|
|
-- Verify required extensions
|
|
if not exists (select 1 from pg_extension where extname = 'uuid-ossp') then
|
|
raise exception 'Required extension uuid-ossp is not installed';
|
|
end if;
|
|
|
|
-- Verify auth schema exists
|
|
if not exists (select 1 from information_schema.schemata where schema_name = 'auth') then
|
|
raise exception 'Required auth schema is not available';
|
|
end if;
|
|
|
|
-- Verify storage schema exists
|
|
if not exists (select 1 from information_schema.schemata where schema_name = 'storage') then
|
|
raise exception 'Required storage schema is not available';
|
|
end if;
|
|
end $$;
|
|
|
|
--[ 1. Extensions ]--
|
|
create extension if not exists "uuid-ossp";
|
|
|
|
-- Create rpc schema if it doesn't exist
|
|
create schema if not exists rpc;
|
|
grant usage on schema rpc to anon, authenticated;
|
|
|
|
-- Create exec_sql function for admin operations
|
|
create or replace function exec_sql(query text)
|
|
returns void as $$
|
|
begin
|
|
execute query;
|
|
end;
|
|
$$ language plpgsql security definer;
|
|
|
|
-- Create updated_at trigger function
|
|
create or replace function public.handle_updated_at()
|
|
returns trigger as $$
|
|
begin
|
|
new.updated_at = timezone('utc'::text, now());
|
|
return new;
|
|
end;
|
|
$$ language plpgsql security definer;
|
|
|
|
--[ 5. Core Tables ]--
|
|
-- Base user profiles
|
|
create table if not exists public.profiles (
|
|
id uuid primary key references auth.users(id) on delete cascade,
|
|
email text not null unique,
|
|
user_type text not null check (user_type in ('admin', 'email_teacher', 'email_student')),
|
|
username text not null unique,
|
|
display_name text,
|
|
metadata jsonb default '{}'::jsonb,
|
|
last_login timestamp with time zone,
|
|
created_at timestamp with time zone default timezone('utc'::text, now()),
|
|
updated_at timestamp with time zone default timezone('utc'::text, now())
|
|
);
|
|
comment on table public.profiles is 'User profiles linked to Supabase auth.users';
|
|
comment on column public.profiles.user_type is 'Type of user: admin, teacher, or student';
|
|
|
|
-- Institute import data
|
|
create table if not exists public.institute_imports (
|
|
id uuid primary key default uuid_generate_v4(),
|
|
urn text unique,
|
|
establishment_name text not null,
|
|
la_code text,
|
|
la_name text,
|
|
establishment_number text,
|
|
establishment_type text,
|
|
establishment_type_group text,
|
|
establishment_status text,
|
|
reason_establishment_opened text,
|
|
open_date date,
|
|
reason_establishment_closed text,
|
|
close_date date,
|
|
phase_of_education text,
|
|
statutory_low_age integer,
|
|
statutory_high_age integer,
|
|
boarders text,
|
|
nursery_provision text,
|
|
official_sixth_form text,
|
|
gender text,
|
|
religious_character text,
|
|
religious_ethos text,
|
|
diocese text,
|
|
admissions_policy text,
|
|
school_capacity integer,
|
|
special_classes text,
|
|
census_date date,
|
|
number_of_pupils integer,
|
|
number_of_boys integer,
|
|
number_of_girls integer,
|
|
percentage_fsm numeric(5,2),
|
|
trust_school_flag text,
|
|
trusts_name text,
|
|
school_sponsor_flag text,
|
|
school_sponsors_name text,
|
|
federation_flag text,
|
|
federations_name text,
|
|
ukprn text,
|
|
fehe_identifier text,
|
|
further_education_type text,
|
|
ofsted_last_inspection date,
|
|
last_changed_date date,
|
|
street text,
|
|
locality text,
|
|
address3 text,
|
|
town text,
|
|
county text,
|
|
postcode text,
|
|
school_website text,
|
|
telephone_num text,
|
|
head_title text,
|
|
head_first_name text,
|
|
head_last_name text,
|
|
head_preferred_job_title text,
|
|
gssla_code text,
|
|
parliamentary_constituency text,
|
|
urban_rural text,
|
|
rsc_region text,
|
|
country text,
|
|
uprn text,
|
|
sen_stat boolean,
|
|
sen_no_stat boolean,
|
|
sen_unit_on_roll integer,
|
|
sen_unit_capacity integer,
|
|
resourced_provision_on_roll integer,
|
|
resourced_provision_capacity integer,
|
|
metadata jsonb default '{}'::jsonb,
|
|
imported_at timestamp with time zone default timezone('utc'::text, now()),
|
|
updated_at timestamp with time zone default timezone('utc'::text, now())
|
|
);
|
|
comment on table public.institute_imports is 'Raw institute data imported from external sources';
|
|
|
|
-- Active institutes
|
|
create table if not exists public.institutes (
|
|
id uuid primary key default uuid_generate_v4(),
|
|
import_id uuid references public.institute_imports(id),
|
|
name text not null,
|
|
urn text unique,
|
|
status text not null default 'active' check (status in ('active', 'inactive', 'pending')),
|
|
address jsonb default '{}'::jsonb,
|
|
website text,
|
|
metadata jsonb default '{}'::jsonb,
|
|
neo4j_unique_id text,
|
|
neo4j_public_sync_status text default 'pending' check (neo4j_public_sync_status in ('pending', 'synced', 'failed')),
|
|
neo4j_public_sync_at timestamp with time zone,
|
|
neo4j_private_sync_status text default 'not_started' check (neo4j_private_sync_status in ('not_started', 'pending', 'synced', 'failed')),
|
|
neo4j_private_sync_at timestamp with time zone,
|
|
created_at timestamp with time zone default timezone('utc'::text, now()),
|
|
updated_at timestamp with time zone default timezone('utc'::text, now())
|
|
);
|
|
comment on table public.institutes is 'Active institutes in the system';
|
|
|
|
--[ 6. Relationship Tables ]--
|
|
-- Institute memberships
|
|
create table if not exists public.institute_memberships (
|
|
id uuid primary key default uuid_generate_v4(),
|
|
profile_id uuid references public.profiles(id) on delete cascade,
|
|
institute_id uuid references public.institutes(id) on delete cascade,
|
|
role text not null check (role in ('admin', 'teacher', 'student')),
|
|
tldraw_preferences jsonb default '{}'::jsonb,
|
|
metadata jsonb default '{}'::jsonb,
|
|
created_at timestamp with time zone default timezone('utc'::text, now()),
|
|
updated_at timestamp with time zone default timezone('utc'::text, now()),
|
|
unique(profile_id, institute_id)
|
|
);
|
|
comment on table public.institute_memberships is 'Manages user roles and relationships with institutes';
|
|
|
|
-- Membership requests
|
|
create table if not exists public.institute_membership_requests (
|
|
id uuid primary key default uuid_generate_v4(),
|
|
profile_id uuid references public.profiles(id) on delete cascade,
|
|
institute_id uuid references public.institutes(id) on delete cascade,
|
|
requested_role text check (requested_role in ('teacher', 'student')),
|
|
status text default 'pending' check (status in ('pending', 'approved', 'rejected')),
|
|
metadata jsonb default '{}'::jsonb,
|
|
created_at timestamp with time zone default timezone('utc'::text, now()),
|
|
updated_at timestamp with time zone default timezone('utc'::text, now())
|
|
);
|
|
comment on table public.institute_membership_requests is 'Tracks requests to join institutes';
|
|
|
|
--[ 7. Audit Tables ]--
|
|
-- System audit logs
|
|
create table if not exists public.audit_logs (
|
|
id uuid primary key default uuid_generate_v4(),
|
|
profile_id uuid references public.profiles(id) on delete set null,
|
|
action_type text,
|
|
table_name text,
|
|
record_id uuid,
|
|
changes jsonb,
|
|
created_at timestamp with time zone default timezone('utc'::text, now())
|
|
);
|
|
comment on table public.audit_logs is 'System-wide audit trail for important operations';
|
|
|
|
--[ 8. Auth Functions ]--
|
|
-- Create a secure function to check admin status
|
|
create or replace function auth.is_admin()
|
|
returns boolean as $$
|
|
select coalesce(
|
|
(select true
|
|
from public.profiles
|
|
where id = auth.uid()
|
|
and user_type = 'admin'),
|
|
false
|
|
);
|
|
$$ language sql security definer;
|
|
|
|
-- Create a secure function to check super admin status
|
|
create or replace function auth.is_super_admin()
|
|
returns boolean as $$
|
|
select coalesce(
|
|
(select role = 'supabase_admin'
|
|
from auth.users
|
|
where id = auth.uid()),
|
|
false
|
|
);
|
|
$$ language sql security definer;
|
|
|
|
-- Create public wrappers for the auth functions
|
|
create or replace function public.is_admin()
|
|
returns boolean as $$
|
|
select auth.is_admin();
|
|
$$ language sql security definer;
|
|
|
|
create or replace function public.is_super_admin()
|
|
returns boolean as $$
|
|
select auth.is_super_admin();
|
|
$$ language sql security definer;
|
|
|
|
-- Grant execute permissions
|
|
grant execute on function public.is_admin to authenticated;
|
|
grant execute on function public.is_super_admin to authenticated;
|
|
grant execute on function auth.is_admin to authenticated;
|
|
grant execute on function auth.is_super_admin to authenticated;
|
|
|
|
-- Initial admin setup function
|
|
create or replace function public.setup_initial_admin(admin_email text)
|
|
returns json
|
|
language plpgsql
|
|
security definer
|
|
as $$
|
|
declare
|
|
result json;
|
|
begin
|
|
-- Only allow this to run as service role or supabase_admin
|
|
if not (
|
|
current_user = 'service_role'
|
|
or exists (
|
|
select 1 from pg_roles
|
|
where rolname = current_user
|
|
and rolsuper
|
|
)
|
|
) then
|
|
raise exception 'Must be run as service_role or superuser';
|
|
end if;
|
|
|
|
-- Update user_type and username for admin
|
|
update public.profiles
|
|
set user_type = 'admin',
|
|
username = coalesce(username, 'superadmin'),
|
|
display_name = coalesce(display_name, 'Super Admin')
|
|
where email = admin_email
|
|
returning json_build_object(
|
|
'id', id,
|
|
'email', email,
|
|
'user_type', user_type,
|
|
'username', username,
|
|
'display_name', display_name
|
|
) into result;
|
|
|
|
if result is null then
|
|
raise exception 'Admin user with email % not found', admin_email;
|
|
end if;
|
|
|
|
return result;
|
|
end;
|
|
$$;
|
|
|
|
-- Grant execute permissions
|
|
revoke execute on function public.setup_initial_admin from public;
|
|
grant execute on function public.setup_initial_admin to authenticated, service_role, supabase_admin;
|
|
|
|
-- Create RPC wrapper for REST API access
|
|
create or replace function rpc.setup_initial_admin(admin_email text)
|
|
returns json
|
|
language plpgsql
|
|
security definer
|
|
as $$
|
|
begin
|
|
return public.setup_initial_admin(admin_email);
|
|
end;
|
|
$$;
|
|
|
|
-- Grant execute permissions for RPC wrapper
|
|
grant execute on function rpc.setup_initial_admin to authenticated, service_role, supabase_admin;
|
|
|
|
--[ 9. Utility Functions ]--
|
|
-- Check if database is ready
|
|
create or replace function check_db_ready()
|
|
returns boolean
|
|
language plpgsql
|
|
security definer
|
|
as $$
|
|
begin
|
|
-- Check if essential schemas exist
|
|
if not exists (
|
|
select 1
|
|
from information_schema.schemata
|
|
where schema_name in ('auth', 'storage', 'public')
|
|
) then
|
|
return false;
|
|
end if;
|
|
|
|
-- Check if essential tables exist
|
|
if not exists (
|
|
select 1
|
|
from information_schema.tables
|
|
where table_schema = 'auth'
|
|
and table_name = 'users'
|
|
) then
|
|
return false;
|
|
end if;
|
|
|
|
-- Check if RLS is enabled on public.profiles
|
|
if not exists (
|
|
select 1
|
|
from pg_tables
|
|
where schemaname = 'public'
|
|
and tablename = 'profiles'
|
|
and rowsecurity = true
|
|
) then
|
|
return false;
|
|
end if;
|
|
|
|
return true;
|
|
end;
|
|
$$;
|
|
|
|
-- Grant execute permission
|
|
grant execute on function check_db_ready to anon, authenticated, service_role;
|
|
|
|
-- Function to handle new user registration
|
|
create or replace function public.handle_new_user()
|
|
returns trigger
|
|
language plpgsql
|
|
security definer set search_path = public
|
|
as $$
|
|
declare
|
|
default_user_type text := 'email_student';
|
|
default_username text;
|
|
begin
|
|
-- Generate username from email
|
|
default_username := split_part(new.email, '@', 1);
|
|
|
|
insert into public.profiles (
|
|
id,
|
|
email,
|
|
user_type,
|
|
username,
|
|
display_name
|
|
)
|
|
values (
|
|
new.id,
|
|
new.email,
|
|
coalesce(new.raw_user_meta_data->>'user_type', default_user_type),
|
|
coalesce(new.raw_user_meta_data->>'username', default_username),
|
|
coalesce(new.raw_user_meta_data->>'display_name', default_username)
|
|
);
|
|
return new;
|
|
end;
|
|
$$;
|
|
|
|
-- Trigger for new user creation
|
|
drop trigger if exists on_auth_user_created on auth.users;
|
|
create trigger on_auth_user_created
|
|
after insert on auth.users
|
|
for each row execute procedure public.handle_new_user();
|
|
|
|
--[ 10. Security Setup ]--
|
|
-- Enable RLS
|
|
alter table if exists public.profiles enable row level security;
|
|
alter table if exists public.institute_imports enable row level security;
|
|
alter table if exists public.institutes enable row level security;
|
|
alter table if exists public.institute_memberships enable row level security;
|
|
alter table if exists public.institute_membership_requests enable row level security;
|
|
alter table if exists public.audit_logs enable row level security;
|
|
|
|
-- First, ensure proper schema access
|
|
grant usage on schema public to anon, authenticated;
|
|
|
|
-- First, drop existing policies
|
|
drop policy if exists "Users can read and update own profile" on public.profiles;
|
|
drop policy if exists "Users can update their profile during registration" on public.profiles;
|
|
|
|
-- Create updated policies
|
|
create policy "Users can read own profile"
|
|
on public.profiles for select
|
|
to authenticated
|
|
using (auth.uid() = id);
|
|
|
|
create policy "Users can update own profile"
|
|
on public.profiles for update
|
|
to authenticated
|
|
using (auth.uid() = id)
|
|
with check (auth.uid() = id);
|
|
|
|
create policy "Public can read basic profile info"
|
|
on public.profiles for select
|
|
to anon, authenticated
|
|
using (
|
|
user_type in ('email_teacher', 'email_student')
|
|
);
|
|
|
|
create policy "Super admins have full access"
|
|
on public.profiles for all
|
|
using (auth.is_super_admin());
|
|
|
|
create policy "Admins can read all profiles"
|
|
on public.profiles for select
|
|
using (auth.is_admin() or auth.is_super_admin());
|
|
|
|
-- Grant permissions
|
|
grant select, update on public.profiles to authenticated;
|
|
grant select (id, email, user_type, display_name) on public.profiles to anon;
|
|
|
|
-- Storage bucket policies
|
|
alter table if exists storage.buckets enable row level security;
|
|
|
|
-- Allow super admin full access to buckets
|
|
create policy "Super admin has full access to buckets"
|
|
on storage.buckets for all
|
|
using (current_user = 'service_role' or current_user = 'supabase_admin' or current_user = 'authenticated');
|
|
|
|
-- Allow authenticated users to create buckets if they are the owner
|
|
create policy "Users can create their own buckets"
|
|
on storage.buckets for insert
|
|
to authenticated
|
|
with check (true); -- We'll handle ownership in the application layer
|
|
|
|
-- Allow users to view buckets they own or public buckets
|
|
create policy "Users can view their own buckets"
|
|
on storage.buckets for select
|
|
to authenticated
|
|
using (
|
|
owner::text = auth.uid()::text
|
|
);
|
|
|
|
--[ 11. Database Triggers ]--
|
|
drop trigger if exists handle_profiles_updated_at on public.profiles;
|
|
create trigger handle_profiles_updated_at
|
|
before update on public.profiles
|
|
for each row execute function public.handle_updated_at();
|
|
|
|
drop trigger if exists handle_institute_memberships_updated_at on public.institute_memberships;
|
|
create trigger handle_institute_memberships_updated_at
|
|
before update on public.institute_memberships
|
|
for each row execute function public.handle_updated_at();
|
|
|
|
drop trigger if exists handle_membership_requests_updated_at on public.institute_membership_requests;
|
|
create trigger handle_membership_requests_updated_at
|
|
before update on public.institute_membership_requests
|
|
for each row execute function public.handle_updated_at();
|
|
|
|
--[ 12. Permissions ]--
|
|
-- Grant schema access
|
|
grant usage on schema public to postgres, anon, authenticated;
|
|
|
|
-- Grant table permissions
|
|
grant all privileges on all tables in schema public to postgres;
|
|
grant select, insert, update on all tables in schema public to authenticated;
|
|
|
|
--[ 13. Realtime Setup ]--
|
|
-- Drop existing publication if it exists
|
|
drop publication if exists supabase_realtime;
|
|
|
|
-- Create publication (without IF NOT EXISTS)
|
|
create publication supabase_realtime;
|
|
|
|
-- Add tables to publication (these are idempotent operations)
|
|
alter publication supabase_realtime add table profiles;
|
|
alter publication supabase_realtime add table institute_imports;
|
|
alter publication supabase_realtime add table institutes;
|
|
alter publication supabase_realtime add table institute_memberships;
|
|
alter publication supabase_realtime add table institute_membership_requests;
|
|
alter publication supabase_realtime add table audit_logs; |