letsbe
/
monacousa-portal
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add comprehensive table grants for authenticated role
Build and Push Docker Image / build (push) Successful in 1m54s Details 

RLS policies define WHAT rows can be accessed, but GRANT statements
control WHETHER a table can be accessed at all. This was causing 403
errors when authenticated users tried to access tables.

Added grants for:
- Core tables: members, membership_statuses, membership_types
- Dues: dues_payments (SELECT)
- Events: events, event_types, event_rsvps (full CRUD), event_rsvps_public
- Documents: documents, document_categories, document_folders
- Settings: app_settings (SELECT for public settings)
- Email: email_logs (SELECT for own logs)
- Preferences: user_notification_preferences (SELECT, INSERT, UPDATE)
- Views: members_with_dues, events_with_counts

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Matt 2026-01-26 15:40:47 +01:00
parent fdd0bb1f7e
commit dc0198dcad
1 changed files with 42 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
deploy/init.sql
View File

@ -243,6 +243,12 @@ GRANT ALL ON public.membership_statuses TO service_role;
GRANT ALL ON public.membership_types TO service_role; GRANT ALL ON public.membership_types TO service_role;
GRANT ALL ON public.members TO service_role; GRANT ALL ON public.members TO service_role;
-- Grant authenticated role read access to core tables (required for RLS to work)
GRANT SELECT ON public.membership_statuses TO authenticated;
GRANT SELECT ON public.membership_types TO authenticated;
GRANT SELECT ON public.members TO authenticated;
GRANT UPDATE ON public.members TO authenticated;
-- DUES PAYMENTS -- DUES PAYMENTS
CREATE TABLE public.dues_payments ( CREATE TABLE public.dues_payments (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(), id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
@ -575,6 +581,9 @@ LEFT JOIN LATERAL (
LIMIT 1 LIMIT 1
) dp ON true; ) dp ON true;
-- Grant access to authenticated users
GRANT SELECT ON public.members_with_dues TO authenticated;
-- Events with attendee counts -- Events with attendee counts
CREATE VIEW public.events_with_counts AS CREATE VIEW public.events_with_counts AS
SELECT SELECT
@ -617,6 +626,39 @@ LEFT JOIN LATERAL (
WHERE event_id = e.id WHERE event_id = e.id
) public_rsvps ON true; ) public_rsvps ON true;
-- Grant view access to authenticated users
GRANT SELECT ON public.events_with_counts TO authenticated;
-- ============================================
-- TABLE GRANTS FOR AUTHENTICATED ROLE
-- ============================================
-- These grants are required for RLS policies to work.
-- RLS policies control WHAT rows can be accessed,
-- but GRANT controls WHETHER the table can be accessed at all.
-- Core tables
GRANT SELECT ON public.dues_payments TO authenticated;
-- Events
GRANT SELECT ON public.events TO authenticated;
GRANT SELECT ON public.event_types TO authenticated;
GRANT SELECT, INSERT, UPDATE, DELETE ON public.event_rsvps TO authenticated;
GRANT SELECT, INSERT ON public.event_rsvps_public TO authenticated;
-- Documents
GRANT SELECT ON public.documents TO authenticated;
GRANT SELECT ON public.document_categories TO authenticated;
GRANT SELECT ON public.document_folders TO authenticated;
-- Settings (public settings viewable)
GRANT SELECT ON public.app_settings TO authenticated;
-- Email logs (own logs viewable)
GRANT SELECT ON public.email_logs TO authenticated;
-- Notification preferences
GRANT SELECT, INSERT, UPDATE ON public.user_notification_preferences TO authenticated;
-- ROW LEVEL SECURITY -- ROW LEVEL SECURITY
-- Enable RLS on all tables -- Enable RLS on all tables