-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathfix-organization-invitations-rls.sql
More file actions
85 lines (78 loc) · 2.52 KB
/
fix-organization-invitations-rls.sql
File metadata and controls
85 lines (78 loc) · 2.52 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
-- Create RLS policies for organization_invitations table
-- Enable RLS on the table (if not already enabled)
ALTER TABLE organization_invitations ENABLE ROW LEVEL SECURITY;
-- Policy 1: Organization admins can create invitations
CREATE POLICY "Admins can create organization invitations" ON organization_invitations
FOR INSERT
TO authenticated
WITH CHECK (
-- Check if user is admin/owner of the organization
EXISTS (
SELECT 1 FROM memberships m
WHERE m.organization_id = organization_invitations.organization_id
AND m.user_id = auth.uid()
AND m.role IN ('admin', 'owner')
AND m.accepted_at IS NOT NULL
)
);
-- Policy 2: Organization members can view invitations for their organization
CREATE POLICY "Members can view organization invitations" ON organization_invitations
FOR SELECT
TO authenticated
USING (
-- Check if user is a member of the organization
EXISTS (
SELECT 1 FROM memberships m
WHERE m.organization_id = organization_invitations.organization_id
AND m.user_id = auth.uid()
AND m.accepted_at IS NOT NULL
)
);
-- Policy 3: Organization admins can update invitations (e.g., cancel them)
CREATE POLICY "Admins can update organization invitations" ON organization_invitations
FOR UPDATE
TO authenticated
USING (
EXISTS (
SELECT 1 FROM memberships m
WHERE m.organization_id = organization_invitations.organization_id
AND m.user_id = auth.uid()
AND m.role IN ('admin', 'owner')
AND m.accepted_at IS NOT NULL
)
)
WITH CHECK (
EXISTS (
SELECT 1 FROM memberships m
WHERE m.organization_id = organization_invitations.organization_id
AND m.user_id = auth.uid()
AND m.role IN ('admin', 'owner')
AND m.accepted_at IS NOT NULL
)
);
-- Policy 4: Organization admins can delete invitations
CREATE POLICY "Admins can delete organization invitations" ON organization_invitations
FOR DELETE
TO authenticated
USING (
EXISTS (
SELECT 1 FROM memberships m
WHERE m.organization_id = organization_invitations.organization_id
AND m.user_id = auth.uid()
AND m.role IN ('admin', 'owner')
AND m.accepted_at IS NOT NULL
)
);
-- Policy 5: Allow invited users to view their own invitations (for acceptance)
CREATE POLICY "Users can view invitations sent to them" ON organization_invitations
FOR SELECT
TO authenticated
USING (
email = (SELECT email FROM auth.users WHERE id = auth.uid())
);
-- Policy 6: Allow service role full access
CREATE POLICY "Service role has full access" ON organization_invitations
FOR ALL
TO service_role
USING (true)
WITH CHECK (true);