23 lines
1.1 KiB
SQL
23 lines
1.1 KiB
SQL
-- ============================================================================
|
|
-- Migration 013: Row-Level Security for scheduled_events
|
|
-- ============================================================================
|
|
-- Enables RLS on the scheduled_events table so that users can only see
|
|
-- their own events at the database level. This is defense-in-depth:
|
|
-- the API already filters by user_id, but RLS ensures data isolation
|
|
-- even if there's a bug in the application layer.
|
|
--
|
|
-- The policy allows all operations when app.current_user_id is NULL
|
|
-- (backward-compatible fallback for queries that don't set the variable).
|
|
-- When the variable IS set, only rows matching the user's ID are visible.
|
|
-- ============================================================================
|
|
|
|
ALTER TABLE scheduled_events ENABLE ROW LEVEL SECURITY;
|
|
|
|
DROP POLICY IF EXISTS scheduled_events_user_policy ON scheduled_events;
|
|
CREATE POLICY scheduled_events_user_policy ON scheduled_events
|
|
FOR ALL
|
|
USING (
|
|
user_id = current_setting('app.current_user_id', true)::uuid
|
|
OR current_setting('app.current_user_id', true) IS NULL
|
|
);
|