85 lines
3.5 KiB
SQL
85 lines
3.5 KiB
SQL
-- Enable RLS and define policies for filesystem tables
|
|
|
|
-- 1) Enable RLS
|
|
alter table if exists public.file_cabinets enable row level security;
|
|
alter table if exists public.files enable row level security;
|
|
alter table if exists public.brain_files enable row level security;
|
|
alter table if exists public.document_artefacts enable row level security;
|
|
|
|
drop policy if exists "User can access own cabinets" on public.file_cabinets;
|
|
create policy "User can access own cabinets" on public.file_cabinets
|
|
using (user_id = auth.uid())
|
|
with check (user_id = auth.uid());
|
|
|
|
drop policy if exists "User can access files in own cabinet" on public.files;
|
|
create policy "User can access files in own cabinet" on public.files
|
|
using (exists (
|
|
select 1 from public.file_cabinets c
|
|
where c.id = files.cabinet_id and c.user_id = auth.uid()
|
|
))
|
|
with check (exists (
|
|
select 1 from public.file_cabinets c
|
|
where c.id = files.cabinet_id and c.user_id = auth.uid()
|
|
));
|
|
|
|
drop policy if exists "User can insert files into own cabinet" on public.files;
|
|
create policy "User can insert files into own cabinet" on public.files for insert to authenticated
|
|
with check (exists (
|
|
select 1 from public.file_cabinets c
|
|
where c.id = files.cabinet_id and c.user_id = auth.uid()
|
|
));
|
|
|
|
drop policy if exists "User can update files in own cabinet" on public.files;
|
|
create policy "User can update files in own cabinet" on public.files for update to authenticated
|
|
using (exists (
|
|
select 1 from public.file_cabinets c
|
|
where c.id = files.cabinet_id and c.user_id = auth.uid()
|
|
))
|
|
with check (exists (
|
|
select 1 from public.file_cabinets c
|
|
where c.id = files.cabinet_id and c.user_id = auth.uid()
|
|
));
|
|
|
|
drop policy if exists "User can delete files from own cabinet" on public.files;
|
|
create policy "User can delete files from own cabinet" on public.files for delete
|
|
using (exists (
|
|
select 1 from public.file_cabinets c
|
|
where c.id = files.cabinet_id and c.user_id = auth.uid()
|
|
));
|
|
|
|
-- 4) Brain-files: allow linking owned files to owned brains
|
|
drop policy if exists "User can link files they own to their brains" on public.brain_files;
|
|
create policy "User can link files they own to their brains" on public.brain_files
|
|
using (
|
|
exists (select 1 from public.brains b where b.id = brain_files.brain_id and b.user_id = auth.uid())
|
|
and exists (
|
|
select 1 from public.files f join public.file_cabinets c on f.cabinet_id = c.id
|
|
where f.id = brain_files.file_id and c.user_id = auth.uid()
|
|
)
|
|
)
|
|
with check (true);
|
|
|
|
-- 5) Document artefacts: allow reads to owners via file cabinet, writes via service_role
|
|
drop policy if exists "artefacts_read_by_owner" on public.document_artefacts;
|
|
create policy "artefacts_read_by_owner" on public.document_artefacts for select to authenticated
|
|
using (exists (
|
|
select 1 from public.files f join public.file_cabinets c on f.cabinet_id = c.id
|
|
where f.id = document_artefacts.file_id and c.user_id = auth.uid()
|
|
));
|
|
|
|
drop policy if exists "artefacts_rw_service" on public.document_artefacts;
|
|
create policy "artefacts_rw_service" on public.document_artefacts to service_role
|
|
using (true) with check (true);
|
|
|
|
-- Allow owners to delete their artefacts (needed for cascades under RLS)
|
|
drop policy if exists "artefacts_delete_by_owner" on public.document_artefacts;
|
|
create policy "artefacts_delete_by_owner" on public.document_artefacts for delete to authenticated
|
|
using (exists (
|
|
select 1 from public.files f join public.file_cabinets c on f.cabinet_id = c.id
|
|
where f.id = document_artefacts.file_id and c.user_id = auth.uid()
|
|
));
|
|
|
|
-- File vectors RLS and policies are defined in 67-vectors.sql after the table is created
|
|
|
|
|