letsbe
/
monacousa-portal
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Complete database grants and update README
Build and Push Docker Image / build (push) Successful in 1m52s Details 

init.sql changes:
- Add INSERT grant for members table (for /join signup)
- Add INSERT grant for dues_payments (for board recording payments)
- Add full CRUD grants for events, documents, document_folders
- Add UPDATE grant for email_templates (admin management)
- Add anon role grants for public event viewing and RSVP creation

README changes:
- Add "Important Notes" section explaining dynamic env vars
- Add first-time setup and database initialization docs
- Add troubleshooting for 403 errors with grant fix commands
- Add troubleshooting for "account not configured" errors

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Matt 2026-01-26 15:44:25 +01:00
parent dc0198dcad
commit 2451582dc6
2 changed files with 75 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
deploy/README.md
View File

@ -271,6 +271,37 @@ docker run --rm -v monacousa_storage-data:/data -v $(pwd):/backup alpine \
docker compose up -d docker compose up -d
``` ```
## Important Notes
### Environment Variables
The portal uses **dynamic environment variables** which are read at runtime. This means:
- You can change `.env` values and restart containers without rebuilding
- The pre-built Docker image works with any configuration
- JWT tokens and API keys must be generated using `./setup.sh`
### First-Time Setup
On first access to the portal, you'll be redirected to `/setup` where you create the initial admin account. This only happens when the `members` table is empty.
### Database Initialization
The `init.sql` file:
- Creates all database schemas, tables, views, and functions
- Sets up Row Level Security (RLS) policies
- Grants appropriate permissions to database roles
- Runs automatically on first container start
If you need to reset the database:
```bash
docker compose down -v # WARNING: Deletes all data!
docker compose up -d
```
### Rebuilding the Portal (If Needed)
If you're building from source instead of using the pre-built image, ensure environment variables are passed during build for static features. For most deployments, the pre-built image with runtime env vars is recommended.
## Troubleshooting ## Troubleshooting
### Containers not starting ### Containers not starting
@ -305,6 +336,27 @@ This usually means the API keys don't match. Run setup again:
docker compose restart kong docker compose restart kong
``` ```
### API 403 Forbidden errors
This means the database permissions (GRANTs) are missing. This is fixed in the init.sql, but if you see this on an existing deployment, run:
```bash
docker compose exec db psql -U postgres -c "
GRANT SELECT, INSERT, UPDATE ON public.members TO authenticated;
GRANT SELECT ON public.membership_statuses TO authenticated;
GRANT SELECT ON public.membership_types TO authenticated;
GRANT SELECT ON public.members_with_dues TO authenticated;
GRANT SELECT, INSERT ON public.dues_payments TO authenticated;
GRANT SELECT, INSERT, UPDATE, DELETE ON public.events TO authenticated;
GRANT SELECT, INSERT, UPDATE, DELETE ON public.event_rsvps TO authenticated;
GRANT SELECT ON public.events_with_counts TO authenticated;
"
```
### "Your account is not properly configured" error
This occurs when a user can authenticate but can't query their member profile. Usually a database permission issue - see the 403 fix above.
### Portal not loading ### Portal not loading
```bash ```bash

35
deploy/init.sql
View File

@ -243,11 +243,10 @@ GRANT ALL ON public.membership_statuses TO service_role;
GRANT ALL ON public.membership_types TO service_role; GRANT ALL ON public.membership_types TO service_role;
GRANT ALL ON public.members TO service_role; GRANT ALL ON public.members TO service_role;
-- Grant authenticated role read access to core tables (required for RLS to work) -- Grant authenticated role access to core tables (required for RLS to work)
GRANT SELECT ON public.membership_statuses TO authenticated; GRANT SELECT ON public.membership_statuses TO authenticated;
GRANT SELECT ON public.membership_types TO authenticated; GRANT SELECT ON public.membership_types TO authenticated;
GRANT SELECT ON public.members TO authenticated; GRANT SELECT, INSERT, UPDATE ON public.members TO authenticated;
GRANT UPDATE ON public.members TO authenticated;
-- DUES PAYMENTS -- DUES PAYMENTS
CREATE TABLE public.dues_payments ( CREATE TABLE public.dues_payments (
@ -629,6 +628,17 @@ LEFT JOIN LATERAL (
-- Grant view access to authenticated users -- Grant view access to authenticated users
GRANT SELECT ON public.events_with_counts TO authenticated; GRANT SELECT ON public.events_with_counts TO authenticated;
-- ============================================
-- TABLE GRANTS FOR ANON ROLE (public access)
-- ============================================
-- These grants allow unauthenticated users to access public content.
-- RLS policies control what specific data can be accessed.
GRANT SELECT ON public.events TO anon;
GRANT SELECT ON public.event_types TO anon;
GRANT SELECT, INSERT ON public.event_rsvps_public TO anon;
GRANT SELECT ON public.events_with_counts TO anon;
-- ============================================ -- ============================================
-- TABLE GRANTS FOR AUTHENTICATED ROLE -- TABLE GRANTS FOR AUTHENTICATED ROLE
-- ============================================ -- ============================================
@ -636,24 +646,25 @@ GRANT SELECT ON public.events_with_counts TO authenticated;
-- RLS policies control WHAT rows can be accessed, -- RLS policies control WHAT rows can be accessed,
-- but GRANT controls WHETHER the table can be accessed at all. -- but GRANT controls WHETHER the table can be accessed at all.
-- Core tables -- Dues payments (board/admin can insert via RLS policy)
GRANT SELECT ON public.dues_payments TO authenticated; GRANT SELECT, INSERT ON public.dues_payments TO authenticated;
-- Events -- Events (board/admin can manage via RLS)
GRANT SELECT ON public.events TO authenticated; GRANT SELECT, INSERT, UPDATE, DELETE ON public.events TO authenticated;
GRANT SELECT ON public.event_types TO authenticated; GRANT SELECT ON public.event_types TO authenticated;
GRANT SELECT, INSERT, UPDATE, DELETE ON public.event_rsvps TO authenticated; GRANT SELECT, INSERT, UPDATE, DELETE ON public.event_rsvps TO authenticated;
GRANT SELECT, INSERT ON public.event_rsvps_public TO authenticated; GRANT SELECT, INSERT, UPDATE, DELETE ON public.event_rsvps_public TO authenticated;
-- Documents -- Documents (board/admin can manage via RLS)
GRANT SELECT ON public.documents TO authenticated; GRANT SELECT, INSERT, UPDATE, DELETE ON public.documents TO authenticated;
GRANT SELECT ON public.document_categories TO authenticated; GRANT SELECT ON public.document_categories TO authenticated;
GRANT SELECT ON public.document_folders TO authenticated; GRANT SELECT, INSERT, UPDATE, DELETE ON public.document_folders TO authenticated;
-- Settings (public settings viewable) -- Settings (public settings viewable)
GRANT SELECT ON public.app_settings TO authenticated; GRANT SELECT ON public.app_settings TO authenticated;
-- Email logs (own logs viewable) -- Email (admin can manage templates, users can view own logs)
GRANT SELECT, UPDATE ON public.email_templates TO authenticated;
GRANT SELECT ON public.email_logs TO authenticated; GRANT SELECT ON public.email_logs TO authenticated;
-- Notification preferences -- Notification preferences