monacousa-portal/supabase/fix_rls_now.sql

-- ============================================
-- IMMEDIATE FIX FOR RLS ISSUES
-- Run this SQL directly in Supabase Studio SQL Editor
-- ============================================

-- =====================
-- STEP 1: FIX STORAGE.OBJECTS POLICIES
-- =====================

-- Drop any existing service_role policies with various names
DROP POLICY IF EXISTS "Service role can insert avatars" ON storage.objects;
DROP POLICY IF EXISTS "Service role can update avatars" ON storage.objects;
DROP POLICY IF EXISTS "Service role can delete avatars" ON storage.objects;
DROP POLICY IF EXISTS "Service role can read avatars" ON storage.objects;
DROP POLICY IF EXISTS "service_role_insert_avatars" ON storage.objects;
DROP POLICY IF EXISTS "service_role_update_avatars" ON storage.objects;
DROP POLICY IF EXISTS "service_role_delete_avatars" ON storage.objects;
DROP POLICY IF EXISTS "service_role_select_avatars" ON storage.objects;
DROP POLICY IF EXISTS "service_role_all_select" ON storage.objects;
DROP POLICY IF EXISTS "service_role_all_insert" ON storage.objects;
DROP POLICY IF EXISTS "service_role_all_update" ON storage.objects;
DROP POLICY IF EXISTS "service_role_all_delete" ON storage.objects;

-- Create universal service_role policies for ALL storage operations
CREATE POLICY "service_role_all_select" ON storage.objects
FOR SELECT TO service_role
USING (true);

CREATE POLICY "service_role_all_insert" ON storage.objects
FOR INSERT TO service_role
WITH CHECK (true);

CREATE POLICY "service_role_all_update" ON storage.objects
FOR UPDATE TO service_role
USING (true);

CREATE POLICY "service_role_all_delete" ON storage.objects
FOR DELETE TO service_role
USING (true);

-- Grant permissions
GRANT ALL ON storage.objects TO service_role;
GRANT ALL ON storage.buckets TO service_role;
GRANT USAGE ON SCHEMA storage TO service_role;

-- =====================
-- STEP 2: FIX PUBLIC.MEMBERS POLICIES
-- =====================

-- Drop any existing service_role policies on members
DROP POLICY IF EXISTS "service_role_all_members" ON public.members;
DROP POLICY IF EXISTS "service_role_select_members" ON public.members;
DROP POLICY IF EXISTS "service_role_insert_members" ON public.members;
DROP POLICY IF EXISTS "service_role_update_members" ON public.members;
DROP POLICY IF EXISTS "service_role_delete_members" ON public.members;

-- Create universal service_role policy for members table
CREATE POLICY "service_role_all_members" ON public.members
FOR ALL TO service_role
USING (true)
WITH CHECK (true);

-- Grant permissions
GRANT ALL ON public.members TO service_role;

-- =====================
-- STEP 3: ENSURE STORAGE BUCKETS EXIST
-- =====================

-- Avatars bucket (public)
INSERT INTO storage.buckets (id, name, public, file_size_limit, allowed_mime_types)
VALUES (
  'avatars',
  'avatars',
  true,
  5242880,
  ARRAY['image/jpeg', 'image/png', 'image/webp', 'image/gif']
)
ON CONFLICT (id) DO UPDATE SET
  public = true,
  file_size_limit = EXCLUDED.file_size_limit,
  allowed_mime_types = EXCLUDED.allowed_mime_types;

-- Documents bucket (public for direct URL access - visibility controlled at app level)
INSERT INTO storage.buckets (id, name, public, file_size_limit, allowed_mime_types)
VALUES (
  'documents',
  'documents',
  true,
  52428800,
  ARRAY['application/pdf', 'application/msword', 'application/vnd.openxmlformats-officedocument.wordprocessingml.document', 'application/vnd.ms-excel', 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet', 'application/vnd.ms-powerpoint', 'application/vnd.openxmlformats-officedocument.presentationml.presentation', 'text/plain', 'text/csv', 'application/json', 'image/jpeg', 'image/png', 'image/webp', 'image/gif']
)
ON CONFLICT (id) DO UPDATE SET
  public = true,
  file_size_limit = EXCLUDED.file_size_limit,
  allowed_mime_types = EXCLUDED.allowed_mime_types;

-- =====================
-- STEP 4: TRY TO GRANT BYPASSRLS (may fail, that's OK)
-- =====================

DO $$
BEGIN
  ALTER ROLE service_role BYPASSRLS;
  RAISE NOTICE 'SUCCESS: Granted BYPASSRLS to service_role';
EXCEPTION
  WHEN insufficient_privilege THEN
    RAISE NOTICE 'INFO: Could not grant BYPASSRLS (using explicit policies instead)';
  WHEN OTHERS THEN
    RAISE NOTICE 'INFO: BYPASSRLS not needed or already set';
END $$;

-- =====================
-- STEP 5: VERIFY SETUP
-- =====================

-- Check service_role policies on storage.objects
SELECT
  policyname,
  permissive,
  roles,
  cmd,
  qual,
  with_check
FROM pg_policies
WHERE schemaname = 'storage'
  AND tablename = 'objects'
  AND 'service_role' = ANY(roles);

-- Check service_role policies on public.members
SELECT
  policyname,
  permissive,
  roles,
  cmd,
  qual,
  with_check
FROM pg_policies
WHERE schemaname = 'public'
  AND tablename = 'members'
  AND 'service_role' = ANY(roles);

-- Check if service_role has BYPASSRLS
SELECT rolname, rolbypassrls
FROM pg_roles
WHERE rolname = 'service_role';
Initial production deployment setup - Production docker-compose with nginx support - Nginx configuration for portal.monacousa.org - Deployment script with backup/restore - Gitea CI/CD workflow - Fix CountryFlag reactivity for dropdown flags Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-25 02:19:49 +01:00			`-- ============================================`
			`-- IMMEDIATE FIX FOR RLS ISSUES`
			`-- Run this SQL directly in Supabase Studio SQL Editor`
			`-- ============================================`

			`-- =====================`
			`-- STEP 1: FIX STORAGE.OBJECTS POLICIES`
			`-- =====================`

			`-- Drop any existing service_role policies with various names`
			`DROP POLICY IF EXISTS "Service role can insert avatars" ON storage.objects;`
			`DROP POLICY IF EXISTS "Service role can update avatars" ON storage.objects;`
			`DROP POLICY IF EXISTS "Service role can delete avatars" ON storage.objects;`
			`DROP POLICY IF EXISTS "Service role can read avatars" ON storage.objects;`
			`DROP POLICY IF EXISTS "service_role_insert_avatars" ON storage.objects;`
			`DROP POLICY IF EXISTS "service_role_update_avatars" ON storage.objects;`
			`DROP POLICY IF EXISTS "service_role_delete_avatars" ON storage.objects;`
			`DROP POLICY IF EXISTS "service_role_select_avatars" ON storage.objects;`
			`DROP POLICY IF EXISTS "service_role_all_select" ON storage.objects;`
			`DROP POLICY IF EXISTS "service_role_all_insert" ON storage.objects;`
			`DROP POLICY IF EXISTS "service_role_all_update" ON storage.objects;`
			`DROP POLICY IF EXISTS "service_role_all_delete" ON storage.objects;`

			`-- Create universal service_role policies for ALL storage operations`
			`CREATE POLICY "service_role_all_select" ON storage.objects`
			`FOR SELECT TO service_role`
			`USING (true);`

			`CREATE POLICY "service_role_all_insert" ON storage.objects`
			`FOR INSERT TO service_role`
			`WITH CHECK (true);`

			`CREATE POLICY "service_role_all_update" ON storage.objects`
			`FOR UPDATE TO service_role`
			`USING (true);`

			`CREATE POLICY "service_role_all_delete" ON storage.objects`
			`FOR DELETE TO service_role`
			`USING (true);`

			`-- Grant permissions`
			`GRANT ALL ON storage.objects TO service_role;`
			`GRANT ALL ON storage.buckets TO service_role;`
			`GRANT USAGE ON SCHEMA storage TO service_role;`

			`-- =====================`
			`-- STEP 2: FIX PUBLIC.MEMBERS POLICIES`
			`-- =====================`

			`-- Drop any existing service_role policies on members`
			`DROP POLICY IF EXISTS "service_role_all_members" ON public.members;`
			`DROP POLICY IF EXISTS "service_role_select_members" ON public.members;`
			`DROP POLICY IF EXISTS "service_role_insert_members" ON public.members;`
			`DROP POLICY IF EXISTS "service_role_update_members" ON public.members;`
			`DROP POLICY IF EXISTS "service_role_delete_members" ON public.members;`

			`-- Create universal service_role policy for members table`
			`CREATE POLICY "service_role_all_members" ON public.members`
			`FOR ALL TO service_role`
			`USING (true)`
			`WITH CHECK (true);`

			`-- Grant permissions`
			`GRANT ALL ON public.members TO service_role;`

			`-- =====================`
			`-- STEP 3: ENSURE STORAGE BUCKETS EXIST`
			`-- =====================`

			`-- Avatars bucket (public)`
			`INSERT INTO storage.buckets (id, name, public, file_size_limit, allowed_mime_types)`
			`VALUES (`
			`'avatars',`
			`'avatars',`
			`true,`
			`5242880,`
			`ARRAY['image/jpeg', 'image/png', 'image/webp', 'image/gif']`
			`)`
			`ON CONFLICT (id) DO UPDATE SET`
			`public = true,`
			`file_size_limit = EXCLUDED.file_size_limit,`
			`allowed_mime_types = EXCLUDED.allowed_mime_types;`

			`-- Documents bucket (public for direct URL access - visibility controlled at app level)`
			`INSERT INTO storage.buckets (id, name, public, file_size_limit, allowed_mime_types)`
			`VALUES (`
			`'documents',`
			`'documents',`
			`true,`
			`52428800,`
			`ARRAY['application/pdf', 'application/msword', 'application/vnd.openxmlformats-officedocument.wordprocessingml.document', 'application/vnd.ms-excel', 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet', 'application/vnd.ms-powerpoint', 'application/vnd.openxmlformats-officedocument.presentationml.presentation', 'text/plain', 'text/csv', 'application/json', 'image/jpeg', 'image/png', 'image/webp', 'image/gif']`
			`)`
			`ON CONFLICT (id) DO UPDATE SET`
			`public = true,`
			`file_size_limit = EXCLUDED.file_size_limit,`
			`allowed_mime_types = EXCLUDED.allowed_mime_types;`

			`-- =====================`
			`-- STEP 4: TRY TO GRANT BYPASSRLS (may fail, that's OK)`
			`-- =====================`

			`DO $$`
			`BEGIN`
			`ALTER ROLE service_role BYPASSRLS;`
			`RAISE NOTICE 'SUCCESS: Granted BYPASSRLS to service_role';`
			`EXCEPTION`
			`WHEN insufficient_privilege THEN`
			`RAISE NOTICE 'INFO: Could not grant BYPASSRLS (using explicit policies instead)';`
			`WHEN OTHERS THEN`
			`RAISE NOTICE 'INFO: BYPASSRLS not needed or already set';`
			`END $$;`

			`-- =====================`
			`-- STEP 5: VERIFY SETUP`
			`-- =====================`

			`-- Check service_role policies on storage.objects`
			`SELECT`
			`policyname,`
			`permissive,`
			`roles,`
			`cmd,`
			`qual,`
			`with_check`
			`FROM pg_policies`
			`WHERE schemaname = 'storage'`
			`AND tablename = 'objects'`
			`AND 'service_role' = ANY(roles);`

			`-- Check service_role policies on public.members`
			`SELECT`
			`policyname,`
			`permissive,`
			`roles,`
			`cmd,`
			`qual,`
			`with_check`
			`FROM pg_policies`
			`WHERE schemaname = 'public'`
			`AND tablename = 'members'`
			`AND 'service_role' = ANY(roles);`

			`-- Check if service_role has BYPASSRLS`
			`SELECT rolname, rolbypassrls`
			`FROM pg_roles`
			`WHERE rolname = 'service_role';`