147 lines
4.8 KiB
SQL
147 lines
4.8 KiB
SQL
-- ============================================
|
|
-- IMMEDIATE FIX FOR RLS ISSUES
|
|
-- Run this SQL directly in Supabase Studio SQL Editor
|
|
-- ============================================
|
|
|
|
-- =====================
|
|
-- STEP 1: FIX STORAGE.OBJECTS POLICIES
|
|
-- =====================
|
|
|
|
-- Drop any existing service_role policies with various names
|
|
DROP POLICY IF EXISTS "Service role can insert avatars" ON storage.objects;
|
|
DROP POLICY IF EXISTS "Service role can update avatars" ON storage.objects;
|
|
DROP POLICY IF EXISTS "Service role can delete avatars" ON storage.objects;
|
|
DROP POLICY IF EXISTS "Service role can read avatars" ON storage.objects;
|
|
DROP POLICY IF EXISTS "service_role_insert_avatars" ON storage.objects;
|
|
DROP POLICY IF EXISTS "service_role_update_avatars" ON storage.objects;
|
|
DROP POLICY IF EXISTS "service_role_delete_avatars" ON storage.objects;
|
|
DROP POLICY IF EXISTS "service_role_select_avatars" ON storage.objects;
|
|
DROP POLICY IF EXISTS "service_role_all_select" ON storage.objects;
|
|
DROP POLICY IF EXISTS "service_role_all_insert" ON storage.objects;
|
|
DROP POLICY IF EXISTS "service_role_all_update" ON storage.objects;
|
|
DROP POLICY IF EXISTS "service_role_all_delete" ON storage.objects;
|
|
|
|
-- Create universal service_role policies for ALL storage operations
|
|
CREATE POLICY "service_role_all_select" ON storage.objects
|
|
FOR SELECT TO service_role
|
|
USING (true);
|
|
|
|
CREATE POLICY "service_role_all_insert" ON storage.objects
|
|
FOR INSERT TO service_role
|
|
WITH CHECK (true);
|
|
|
|
CREATE POLICY "service_role_all_update" ON storage.objects
|
|
FOR UPDATE TO service_role
|
|
USING (true);
|
|
|
|
CREATE POLICY "service_role_all_delete" ON storage.objects
|
|
FOR DELETE TO service_role
|
|
USING (true);
|
|
|
|
-- Grant permissions
|
|
GRANT ALL ON storage.objects TO service_role;
|
|
GRANT ALL ON storage.buckets TO service_role;
|
|
GRANT USAGE ON SCHEMA storage TO service_role;
|
|
|
|
-- =====================
|
|
-- STEP 2: FIX PUBLIC.MEMBERS POLICIES
|
|
-- =====================
|
|
|
|
-- Drop any existing service_role policies on members
|
|
DROP POLICY IF EXISTS "service_role_all_members" ON public.members;
|
|
DROP POLICY IF EXISTS "service_role_select_members" ON public.members;
|
|
DROP POLICY IF EXISTS "service_role_insert_members" ON public.members;
|
|
DROP POLICY IF EXISTS "service_role_update_members" ON public.members;
|
|
DROP POLICY IF EXISTS "service_role_delete_members" ON public.members;
|
|
|
|
-- Create universal service_role policy for members table
|
|
CREATE POLICY "service_role_all_members" ON public.members
|
|
FOR ALL TO service_role
|
|
USING (true)
|
|
WITH CHECK (true);
|
|
|
|
-- Grant permissions
|
|
GRANT ALL ON public.members TO service_role;
|
|
|
|
-- =====================
|
|
-- STEP 3: ENSURE STORAGE BUCKETS EXIST
|
|
-- =====================
|
|
|
|
-- Avatars bucket (public)
|
|
INSERT INTO storage.buckets (id, name, public, file_size_limit, allowed_mime_types)
|
|
VALUES (
|
|
'avatars',
|
|
'avatars',
|
|
true,
|
|
5242880,
|
|
ARRAY['image/jpeg', 'image/png', 'image/webp', 'image/gif']
|
|
)
|
|
ON CONFLICT (id) DO UPDATE SET
|
|
public = true,
|
|
file_size_limit = EXCLUDED.file_size_limit,
|
|
allowed_mime_types = EXCLUDED.allowed_mime_types;
|
|
|
|
-- Documents bucket (public for direct URL access - visibility controlled at app level)
|
|
INSERT INTO storage.buckets (id, name, public, file_size_limit, allowed_mime_types)
|
|
VALUES (
|
|
'documents',
|
|
'documents',
|
|
true,
|
|
52428800,
|
|
ARRAY['application/pdf', 'application/msword', 'application/vnd.openxmlformats-officedocument.wordprocessingml.document', 'application/vnd.ms-excel', 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet', 'application/vnd.ms-powerpoint', 'application/vnd.openxmlformats-officedocument.presentationml.presentation', 'text/plain', 'text/csv', 'application/json', 'image/jpeg', 'image/png', 'image/webp', 'image/gif']
|
|
)
|
|
ON CONFLICT (id) DO UPDATE SET
|
|
public = true,
|
|
file_size_limit = EXCLUDED.file_size_limit,
|
|
allowed_mime_types = EXCLUDED.allowed_mime_types;
|
|
|
|
-- =====================
|
|
-- STEP 4: TRY TO GRANT BYPASSRLS (may fail, that's OK)
|
|
-- =====================
|
|
|
|
DO $$
|
|
BEGIN
|
|
ALTER ROLE service_role BYPASSRLS;
|
|
RAISE NOTICE 'SUCCESS: Granted BYPASSRLS to service_role';
|
|
EXCEPTION
|
|
WHEN insufficient_privilege THEN
|
|
RAISE NOTICE 'INFO: Could not grant BYPASSRLS (using explicit policies instead)';
|
|
WHEN OTHERS THEN
|
|
RAISE NOTICE 'INFO: BYPASSRLS not needed or already set';
|
|
END $$;
|
|
|
|
-- =====================
|
|
-- STEP 5: VERIFY SETUP
|
|
-- =====================
|
|
|
|
-- Check service_role policies on storage.objects
|
|
SELECT
|
|
policyname,
|
|
permissive,
|
|
roles,
|
|
cmd,
|
|
qual,
|
|
with_check
|
|
FROM pg_policies
|
|
WHERE schemaname = 'storage'
|
|
AND tablename = 'objects'
|
|
AND 'service_role' = ANY(roles);
|
|
|
|
-- Check service_role policies on public.members
|
|
SELECT
|
|
policyname,
|
|
permissive,
|
|
roles,
|
|
cmd,
|
|
qual,
|
|
with_check
|
|
FROM pg_policies
|
|
WHERE schemaname = 'public'
|
|
AND tablename = 'members'
|
|
AND 'service_role' = ANY(roles);
|
|
|
|
-- Check if service_role has BYPASSRLS
|
|
SELECT rolname, rolbypassrls
|
|
FROM pg_roles
|
|
WHERE rolname = 'service_role';
|