-- ============================================================================ -- Migration 013: Row-Level Security for scheduled_events -- ============================================================================ -- Enables RLS on the scheduled_events table so that users can only see -- their own events at the database level. This is defense-in-depth: -- the API already filters by user_id, but RLS ensures data isolation -- even if there's a bug in the application layer. -- -- The policy allows all operations when app.current_user_id is NULL -- (backward-compatible fallback for queries that don't set the variable). -- When the variable IS set, only rows matching the user's ID are visible. -- ============================================================================ ALTER TABLE scheduled_events ENABLE ROW LEVEL SECURITY; DROP POLICY IF EXISTS scheduled_events_user_policy ON scheduled_events; CREATE POLICY scheduled_events_user_policy ON scheduled_events FOR ALL USING ( user_id = current_setting('app.current_user_id', true)::uuid OR current_setting('app.current_user_id', true) IS NULL );