kcar
fcab68f57a
The classes/class_teachers/class_students/enrollment_requests tables existed only on live dev (.94) with no tracked DDL, and RLS exposed class_students / class_teachers to service_role ONLY — so any API path calling Supabase as the user read zero rows. - 71-class-management.sql captures the real schema (idempotent), adds SECURITY DEFINER membership helpers, and adds as-user RLS policies (cs_read/cs_write, ct_read/ct_write, classes_admin_write, er_class_staff) while preserving the existing service_role / institute_read / er_own policies. Applied + verified on dev .94: class teacher sees roster (1), unrelated teacher denied (0), service_role unaffected (full). FKs/uniques/checks already present on .94 (no constraint changes needed). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>