fix: tag related policies

hpi-studyu · Jun 30, 2023 · 543cbe5 · 543cbe5
1 parent 0c8b89b
commit 543cbe5
Show file tree

Hide file tree

Showing 2 changed files with 103 additions and 31 deletions.
diff --git a/database/migrate_tags.sql b/database/migrate_tags.sql
@@ -50,35 +50,51 @@ ALTER TABLE ONLY public.study_tag
 ALTER TABLE ONLY public.tag
     ADD CONSTRAINT "tag_parentId_fkey" FOREIGN KEY (parent_id) REFERENCES public.tag(id) ON DELETE CASCADE;
 
+-- TODO VERIFY all policies regarding anonymous select, update, insert, delete and authenticated behavior regarding auth.uid()
 
 --
--- Name: tag Allow read access but deny write access for tag; Type: POLICY; Schema: public; Owner: supabase_admin
+-- Name: study_tag Allow read access but deny write access for tags; Type: POLICY; Schema: public; Owner: supabase_admin
+--
+
+CREATE POLICY "Allow read access, deny write access"
+  ON tag
+  FOR SELECT
+  USING (true);
+
+
+--
+-- Name: Allow study creators to manage tags; Type: POLICY; Schema: public; Owner: supabase_admin
 --
--- TODO VERIFY all policies regarding anonymous select, update, insert, delete and authenticated behavior regarding auth.uid()
 
-create policy "Allow read access, deny write access"
-  on tag
-  for select
-  using (true);
-  -- with check (false);
+CREATE POLICY "Allow study creators to manage tags"
+  ON study_tag
+  FOR ALL
+  USING (
+    EXISTS (
+      SELECT 1
+      FROM study
+      WHERE study.id = study_tag.study_id
+        AND study.user_id = auth.uid()
+    )
+  );
 
 
 --
--- Name: study_tag Allow only study creators to add tags to studies; Type: POLICY; Schema: public; Owner: supabase_admin
+-- Name: Allow subscribed users to select study tags; Type: POLICY; Schema: public; Owner: supabase_admin
 --
 
-create policy "Allow study creators to add delete tags"
-  on study_tag
-  for insert, delete
-   USING (
-      TRUE
+CREATE POLICY "Allow subscribed users to select study tags"
+  ON study_tag
+  FOR SELECT
+  USING (
+    EXISTS (
+      SELECT 1
+      FROM study_subject
+      WHERE study_subject.study_id = study_tag.study_id
+        AND study_subject.user_id = auth.uid()
     )
-  with check (exists (
-    select *
-    from study
-    where study.id = id
-      and study.user_id = auth.uid()
-  ));
+  );
+
 
 -- todo deny insert, delete, update for everyone else
 -- todo deny select for everyone except study creators and users subscribed to the study
@@ -90,7 +106,6 @@ create policy "Allow study creators to add delete tags"
 
 ALTER TABLE public.tag ENABLE ROW LEVEL SECURITY;
 
-
 --
 -- Name: study_tag; Type: ROW SECURITY; Schema: public; Owner: supabase_admin
 --

diff --git a/database/studyu-schema.sql b/database/studyu-schema.sql
@@ -128,17 +128,30 @@ CREATE TABLE public.study_subject (
 ALTER TABLE public.study_subject OWNER TO supabase_admin;
 
 --
--- Name: study_tags; Type: TABLE; Schema: public; Owner: supabase_admin
+-- Name: tag; Type: TABLE; Schema: public; Owner: supabase_admin
 --
 
-CREATE TABLE study_tag (
+CREATE TABLE tag (
     id uuid DEFAULT gen_random_uuid() NOT NULL,
     name text NOT NULL,
     color integer,
     parent_id uuid,
 );
 
 
+ALTER TABLE public.study_tag OWNER TO supabase_admin;
+
+
+--
+-- Name: study_tag; Type: TABLE; Schema: public; Owner: supabase_admin
+--
+
+CREATE TABLE study_tag (
+    study_id uuid REFERENCES study (id) ON DELETE CASCADE,
+    tag_id uuid REFERENCES tag (id) ON DELETE CASCADE,
+
+);
+
 ALTER TABLE public.study_tag OWNER TO supabase_admin;
 
 --
@@ -329,12 +342,21 @@ ALTER TABLE ONLY public.study_subject
     ADD CONSTRAINT study_subject_pkey PRIMARY KEY (id);
 
 
+--
+-- Name: tag tag_pkey; Type: CONSTRAINT; Schema: public; Owner: supabase_admin
+--
+
+ALTER TABLE ONLY public.tag
+    ADD CONSTRAINT tag_pkey PRIMARY KEY (id);
+
+
 --
 -- Name: study_tag study_tag_pkey; Type: CONSTRAINT; Schema: public; Owner: supabase_admin
 --
 
 ALTER TABLE ONLY public.study_tag
-    ADD CONSTRAINT study_tag_pkey PRIMARY KEY (id);
+    ADD CONSTRAINT "study_tag_pkey" PRIMARY KEY (study_id, tag_id);
+
 
 -- ======================== FOREIGN KEY CONTRAINTS ======================================================
 
@@ -387,11 +409,11 @@ ALTER TABLE ONLY public.study_subject
 
 
 --
--- Name: study_tag study_tag_parentId_fkey; Type: FK CONSTRAINT; Schema: public; Owner: supabase_admin
+-- Name: tag tag_parentId_fkey; Type: FK CONSTRAINT; Schema: public; Owner: supabase_admin
 --
 
-ALTER TABLE ONLY public.study_tag
-    ADD CONSTRAINT "study_tag_parentId_fkey" FOREIGN KEY (parent_id) REFERENCES public.study_tag(id) ON DELETE CASCADE;
+ALTER TABLE ONLY public.tag
+    ADD CONSTRAINT "tag_parentId_fkey" FOREIGN KEY (parent_id) REFERENCES public.tag(id) ON DELETE CASCADE;
 
 
 --
@@ -875,15 +897,45 @@ CREATE POLICY "Users can do everything with their subjects" ON public.study_subj
 -- Name: study_tag Allow read access but deny write access for tags; Type: POLICY; Schema: public; Owner: supabase_admin
 --
 
-CREATE POLICY allow_read_deny_write_tag ON study_tag FOR ALL
-USING (true) WITH CHECK (false);
+CREATE POLICY "Allow read access, deny write access"
+  ON tag
+  FOR SELECT
+  USING (true);
+
+
+--
+-- Name: Allow study creators to manage tags; Type: POLICY; Schema: public; Owner: supabase_admin
+--
+
+CREATE POLICY "Allow study creators to manage tags"
+  ON study_tag
+  FOR ALL
+  USING (
+    EXISTS (
+      SELECT 1
+      FROM study
+      WHERE study.id = study_tag.study_id
+        AND study.user_id = auth.uid()
+    )
+  );
 
 
 --
--- Name: user Users can do everything with their user data; Type: POLICY; Schema: public; Owner: supabase_admin
+-- Name: Allow subscribed users to select study tags; Type: POLICY; Schema: public; Owner: supabase_admin
 --
 
-CREATE POLICY "Users can read and write their user data" ON public."user" USING ((auth.uid() = id));
+CREATE POLICY "Allow subscribed users to select study tags"
+  ON study_tag
+  FOR SELECT
+  USING (
+    EXISTS (
+      SELECT 1
+      FROM study_subject
+      WHERE study_subject.study_id = study_tag.study_id
+        AND study_subject.user_id = auth.uid()
+    )
+  );
+
 
 --
 -- Name: app_config; Type: ROW SECURITY; Schema: public; Owner: supabase_admin
@@ -915,13 +967,18 @@ ALTER TABLE public.study_invite ENABLE ROW LEVEL SECURITY;
 
 ALTER TABLE public.study_subject ENABLE ROW LEVEL SECURITY;
 
+--
+-- Name: tag; Type: ROW SECURITY; Schema: public; Owner: supabase_admin
+--
+
+ALTER TABLE public.tag ENABLE ROW LEVEL SECURITY;
+
 --
 -- Name: study_tag; Type: ROW SECURITY; Schema: public; Owner: supabase_admin
 --
 
 ALTER TABLE public.study_tag ENABLE ROW LEVEL SECURITY;
 
-
 --
 -- Name: subject_progress; Type: ROW SECURITY; Schema: public; Owner: supabase_admin
 --