@jmruthers/pace-core 0.5.189 → 0.5.190

package/src/hooks/usePermissionCache.test.ts

@@ -7,8 +7,8 @@
  * Comprehensive tests for the usePermissionCache hook covering all critical functionality.
  */
 
-import { renderHook, waitFor, act } from '@testing-library/react';
-import { vi, describe, it, expect, beforeEach, afterEach } from 'vitest';
+import { renderHook, act } from '@testing-library/react';
+import { vi, describe, it, expect, beforeEach } from 'vitest';
 import { usePermissionCache } from './usePermissionCache';
 
 // Mock the dependencies
@@ -29,6 +29,16 @@ vi.mock('../rbac/api', () => ({
   isPermittedCached: vi.fn()
 }));
 
+const loggerSpy = vi.hoisted(() => ({
+  warn: vi.fn(),
+  error: vi.fn()
+}));
+
+vi.mock('../utils/core/logger', () => ({
+  logger: loggerSpy,
+  createLogger: () => loggerSpy
+}));
+
 import { useUnifiedAuth } from '../providers/services/UnifiedAuthProvider';
 import { useOrganisations } from './useOrganisations';
 import { useEvents } from './useEvents';
@@ -41,7 +51,7 @@ const mockIsPermittedCached = vi.mocked(isPermittedCached);
 describe('usePermissionCache', () => {
   beforeEach(() => {
     vi.clearAllMocks();
-    
+
     // Setup default mocks
     mockUseUnifiedAuthFn.mockReturnValue({
       user: { id: 'user-123' },
@@ -50,19 +60,19 @@ describe('usePermissionCache', () => {
       selectedOrganisationId: 'org-123',
       selectedEventId: undefined
     } as any);
-    
+
     mockUseOrganisations.mockReturnValue({
       selectedOrganisation: { id: 'org-123' }
     } as any);
-    
+
     mockUseEvents.mockReturnValue({
       selectedEvent: null
     } as any);
-    
+
     mockIsPermittedCached.mockResolvedValue(true);
   });
 
-    describe('Hook Initialization', () => {
+  describe('Hook Initialization', () => {
     it('initializes with default configuration', () => {
       const { result } = renderHook(() => usePermissionCache());
 
@@ -130,6 +140,16 @@ describe('usePermissionCache', () => {
       expect(results.every(r => r.hasPermission)).toBe(true);
     });
 
+    it('handles empty permission arrays gracefully', async () => {
+      const { result } = renderHook(() => usePermissionCache());
+
+      const results = await result.current.checkMultiplePermissions([]);
+
+      expect(results).toEqual([]);
+      expect(mockIsPermittedCached).not.toHaveBeenCalled();
+      expect(loggerSpy.warn).toHaveBeenCalled();
+    });
+
     it('handles permission check errors gracefully', async () => {
       mockIsPermittedCached.mockRejectedValueOnce(new Error('Permission check failed'));
 
@@ -137,6 +157,7 @@ describe('usePermissionCache', () => {
 
       const hasPermission = await result.current.checkPermission('read', 'users');
       expect(hasPermission).toBe(false);
+      expect(loggerSpy.error).toHaveBeenCalled();
     });
 
     it('handles missing user context gracefully', () => {
@@ -153,6 +174,23 @@ describe('usePermissionCache', () => {
       expect(result.current).toBeDefined();
       expect(result.current.checkPermission).toBeInstanceOf(Function);
     });
+
+    it('deduplicates concurrent permission checks', async () => {
+      mockIsPermittedCached.mockImplementation(
+        () => new Promise(resolve => setTimeout(() => resolve(true), 50))
+      );
+
+      const { result } = renderHook(() => usePermissionCache());
+
+      const [first, second] = await Promise.all([
+        result.current.checkPermission('read', 'users'),
+        result.current.checkPermission('read', 'users')
+      ]);
+
+      expect(first).toBe(true);
+      expect(second).toBe(true);
+      expect(mockIsPermittedCached).toHaveBeenCalledTimes(1);
+    });
   });
 
   describe('Cache Management', () => {
@@ -196,10 +234,23 @@ describe('usePermissionCache', () => {
       
       // Check again - should not use cache
       await result.current.checkPermission('read', 'users');
-      
+
       expect(mockIsPermittedCached).toHaveBeenCalledTimes(2);
     });
 
+    it('invalidates cache entries by pattern', async () => {
+      const { result } = renderHook(() => usePermissionCache());
+
+      await result.current.checkPermission('read', 'dashboard');
+      await result.current.checkPermission('read', 'admin');
+
+      result.current.invalidateCache('dashboard');
+
+      await result.current.checkPermission('read', 'dashboard');
+
+      expect(mockIsPermittedCached).toHaveBeenCalledTimes(3);
+    });
+
     it('respects max cache size', async () => {
       const { result } = renderHook(() => usePermissionCache({
         maxCacheSize: 2
@@ -246,6 +297,32 @@ describe('usePermissionCache', () => {
       expect(debugInfo.totalChecks).toBe(2);
     });
 
+    it('returns cached permissions for a page', async () => {
+      mockIsPermittedCached
+        .mockResolvedValueOnce(true)
+        .mockResolvedValueOnce(false)
+        .mockResolvedValueOnce(true)
+        .mockResolvedValueOnce(false);
+
+      const { result } = renderHook(() => usePermissionCache());
+
+      await result.current.checkMultiplePermissions([
+        ['read', 'dashboard'],
+        ['create', 'dashboard'],
+        ['update', 'dashboard'],
+        ['delete', 'dashboard']
+      ]);
+
+      const cachedPermissions = result.current.getCachedPermissions('dashboard');
+
+      expect(cachedPermissions).toEqual([
+        { operation: 'read', hasPermission: true },
+        { operation: 'create', hasPermission: false },
+        { operation: 'update', hasPermission: true },
+        { operation: 'delete', hasPermission: false }
+      ]);
+    });
+
     it('tracks average response time', async () => {
       const { result } = renderHook(() => usePermissionCache());
 

package/src/hooks/useQueryCache.ts

@@ -51,6 +51,27 @@ function runCacheCleanup() {
 if (typeof window !== 'undefined' && !cleanupTimer) {
   cleanupTimer = setInterval(runCacheCleanup, CLEANUP_INTERVAL_MS);
   log.debug('Query cache cleanup initialized.');
+  
+  // Cleanup on page unload to prevent memory leaks
+  window.addEventListener('beforeunload', () => {
+    if (cleanupTimer) {
+      clearInterval(cleanupTimer);
+      cleanupTimer = null;
+      log.debug('Query cache cleanup timer cleared on page unload.');
+    }
+  });
+}
+
+/**
+ * Manually cleanup the query cache cleanup timer
+ * Useful for testing or when the module is reloaded
+ */
+export function cleanupQueryCache(): void {
+  if (cleanupTimer) {
+    clearInterval(cleanupTimer);
+    cleanupTimer = null;
+    log.debug('Query cache cleanup timer cleared.');
+  }
 }
 
 export interface UseQueryCacheOptions {

package/src/hooks/useSecureDataAccess.test.ts

@@ -14,6 +14,8 @@ import { useUnifiedAuth } from '../providers';
 import { useOrganisations } from './useOrganisations';
 import { setOrganisationContext } from '../utils/context/organisationContext';
 import { createMockSupabaseClient, createMockQueryBuilderWithData } from '../__tests__/helpers/supabaseMock';
+import { useResolvedScope } from '../rbac/hooks/useResolvedScope';
+import { useSuperAdminBypass } from '../rbac/hooks/useSuperAdminBypass';
 
 // Mock the providers
 vi.mock('../providers', () => ({
@@ -29,11 +31,23 @@ vi.mock('../utils/context/organisationContext', () => ({
   setOrganisationContext: vi.fn()
 }));
 
+// Mock useResolvedScope
+vi.mock('../rbac/hooks/useResolvedScope', () => ({
+  useResolvedScope: vi.fn()
+}));
+
+// Mock useSuperAdminBypass
+vi.mock('../rbac/hooks/useSuperAdminBypass', () => ({
+  useSuperAdminBypass: vi.fn()
+}));
+
 
 describe('useSecureDataAccess', () => {
   const mockUseUnifiedAuth = vi.mocked(useUnifiedAuth);
   const mockUseOrganisations = vi.mocked(useOrganisations);
   const mockSetOrganisationContext = vi.mocked(setOrganisationContext);
+  const mockUseResolvedScope = vi.mocked(useResolvedScope);
+  const mockUseSuperAdminBypass = vi.mocked(useSuperAdminBypass);
 
   const mockUser = {
     id: 'user-123',
@@ -93,6 +107,22 @@ describe('useSecureDataAccess', () => {
       ensureOrganisationContext: vi.fn().mockReturnValue(mockSelectedOrganisation),
       // Add other required properties
     } as any);
+    
+    // Mock useResolvedScope to return resolved scope with organisationId
+    mockUseResolvedScope.mockReturnValue({
+      resolvedScope: {
+        organisationId: 'org-123',
+        eventId: undefined,
+        appId: undefined,
+      },
+      isLoading: false,
+      error: null,
+    });
+    
+    // Mock useSuperAdminBypass to return not super admin
+    mockUseSuperAdminBypass.mockReturnValue({
+      isSuperAdmin: false,
+    });
   });
 
     describe('Hook Initialization', () => {
@@ -113,9 +143,10 @@ describe('useSecureDataAccess', () => {
       expect(mockUseUnifiedAuth).toHaveBeenCalled();
     });
 
-    it('depends on useOrganisations hook', () => {
+    it('depends on useResolvedScope hook', () => {
       renderHook(() => useSecureDataAccess());
-      expect(mockUseOrganisations).toHaveBeenCalled();
+      // useSecureDataAccess now uses useResolvedScope instead of useOrganisations
+      expect(mockUseResolvedScope).toHaveBeenCalled();
     });
   });
 
@@ -328,15 +359,22 @@ describe('useSecureDataAccess', () => {
     });
 
     it('handles missing organisation context', () => {
-      mockUseOrganisations.mockReturnValue({
+      mockUseUnifiedAuth.mockReturnValue({
+        user: mockUser,
+        session: mockSession,
+        supabase: freshMockSupabase,
+        isAuthenticated: true,
+        signOut: vi.fn(),
         selectedOrganisation: null,
-        getUserRole: vi.fn().mockReturnValue('no_access'),
-        validateOrganisationAccess: vi.fn().mockResolvedValue(false),
-        ensureOrganisationContext: vi.fn().mockImplementation(() => {
-          throw new Error('Organisation context is required but not available');
-        }),
-        // Add other required properties
+        selectedEvent: null,
       } as any);
+      
+      // Mock useResolvedScope to return null scope when no context available
+      mockUseResolvedScope.mockReturnValue({
+        resolvedScope: null,
+        isLoading: false,
+        error: null,
+      });
 
       const { result } = renderHook(() => useSecureDataAccess());
 
@@ -344,21 +382,15 @@ describe('useSecureDataAccess', () => {
     });
 
     it('validates organisation access before operations', async () => {
-      const mockValidateAccess = vi.fn().mockResolvedValue(true);
-      mockUseOrganisations.mockReturnValue({
-        selectedOrganisation: mockSelectedOrganisation,
-        getUserRole: vi.fn().mockReturnValue('member'),
-        validateOrganisationAccess: mockValidateAccess,
-        ensureOrganisationContext: vi.fn().mockReturnValue(mockSelectedOrganisation),
-        // Add other required properties
-      } as any);
-
+      // The hook uses useResolvedScope to get organisationId, which is already mocked in beforeEach
+      // The validation happens in validateContext which checks resolvedScope.organisationId
       const { result } = renderHook(() => useSecureDataAccess());
 
-      await result.current.secureQuery('users', '*');
+      // Use 'event' table which is in the tablesWithOrganisation list
+      await result.current.secureQuery('event', '*');
       
-      // The hook doesn't call validateOrganisationAccess, it calls ensureOrganisationContext
-      expect(mockUseOrganisations().ensureOrganisationContext).toHaveBeenCalled();
+      // Verify that the query was executed with organisation filter
+      expect(freshMockQueryBuilder.eq).toHaveBeenCalledWith('organisation_id', 'org-123');
     });
   });
 
@@ -394,16 +426,16 @@ describe('useSecureDataAccess', () => {
     });
 
     it('handles organisation access validation failures', async () => {
-      mockUseOrganisations.mockReturnValue({
-        selectedOrganisation: mockSelectedOrganisation,
-        getUserRole: vi.fn().mockReturnValue('no_access'),
-        validateOrganisationAccess: vi.fn().mockResolvedValue(false),
-        // Add other required properties
-      } as any);
+      // Mock useResolvedScope to return null scope to simulate missing context
+      mockUseResolvedScope.mockReturnValue({
+        resolvedScope: null,
+        isLoading: false,
+        error: null,
+      });
 
       const { result } = renderHook(() => useSecureDataAccess());
 
-      await expect(result.current.secureQuery('users', '*')).rejects.toThrow();
+      await expect(result.current.secureQuery('users', '*')).rejects.toThrow('Organisation context is required for data access');
     });
   });
 
@@ -467,13 +499,25 @@ describe('useSecureDataAccess', () => {
 
       // Change organisation
       const newOrganisation = { id: 'org-456', name: 'New Organisation' };
-      mockUseOrganisations.mockReturnValue({
+      mockUseUnifiedAuth.mockReturnValue({
+        user: mockUser,
+        session: mockSession,
+        supabase: freshMockSupabase,
+        isAuthenticated: true,
+        signOut: vi.fn(),
         selectedOrganisation: newOrganisation,
-        getUserRole: vi.fn().mockReturnValue('member'),
-        validateOrganisationAccess: vi.fn().mockResolvedValue(true),
-        ensureOrganisationContext: vi.fn().mockReturnValue(newOrganisation),
-        // Add other required properties
       } as any);
+      
+      // Update useResolvedScope mock to return new organisation
+      mockUseResolvedScope.mockReturnValue({
+        resolvedScope: {
+          organisationId: 'org-456',
+          eventId: undefined,
+          appId: undefined,
+        },
+        isLoading: false,
+        error: null,
+      });
 
       rerender();
 
@@ -487,9 +531,10 @@ describe('useSecureDataAccess', () => {
       expect(mockUseUnifiedAuth).toHaveBeenCalled();
     });
 
-    it('integrates with useOrganisations hook correctly', () => {
+    it('integrates with useResolvedScope hook correctly', () => {
       renderHook(() => useSecureDataAccess());
-      expect(mockUseOrganisations).toHaveBeenCalled();
+      // useSecureDataAccess now uses useResolvedScope instead of useOrganisations
+      expect(mockUseResolvedScope).toHaveBeenCalled();
     });
 
     it('uses organisation context from provider', () => {

package/src/hooks/useSecureDataAccess.ts

@@ -59,6 +59,8 @@ import { setOrganisationContext } from '../utils/context/organisationContext';
 import { logger } from '../utils/core/logger';
 import type { Permission } from '../rbac/types';
 import type { OrganisationSecurityError } from '../types/organisation';
+import { useSuperAdminBypass } from '../rbac/hooks/useSuperAdminBypass';
+import { useResolvedScope } from '../rbac/hooks/useResolvedScope';
 
 export interface SecureDataAccessReturn {
   /** Execute a secure query with organisation filtering */
@@ -149,13 +151,21 @@ export interface DataAccessRecord {
  * - RPC calls include organisation_id parameter
  */
 export function useSecureDataAccess(): SecureDataAccessReturn {
-  const { supabase, user, session } = useUnifiedAuth();
-  const { ensureOrganisationContext } = useOrganisations();
+  const { supabase, user, session, selectedOrganisation, selectedEvent } = useUnifiedAuth();
   
   // Get selected event for event-scoped RPC calls
   // Use useContext directly to safely check if EventServiceProvider is available
   const eventServiceContext = useContext(EventServiceContext);
-  const selectedEvent = eventServiceContext?.eventService?.getSelectedEvent() || null;
+  const eventFromContext = eventServiceContext?.eventService?.getSelectedEvent() || null;
+  const effectiveSelectedEvent = selectedEvent || eventFromContext;
+  const { isSuperAdmin } = useSuperAdminBypass();
+
+  // Use resolved scope to get organisationId (derived from event if needed)
+  const { resolvedScope } = useResolvedScope({
+    supabase,
+    selectedOrganisationId: selectedOrganisation?.id || null,
+    selectedEventId: effectiveSelectedEvent?.event_id || null
+  });
 
   const validateContext = useCallback((): void => {
     if (!supabase) {
@@ -165,23 +175,29 @@ export function useSecureDataAccess(): SecureDataAccessReturn {
       throw new Error('User must be authenticated with valid session') as OrganisationSecurityError;
     }
     
-    try {
-      ensureOrganisationContext();
-    } catch (error) {
+    if (isSuperAdmin) {
+      return;
+    }
+    
+    if (!resolvedScope?.organisationId) {
       throw new Error('Organisation context is required for data access') as OrganisationSecurityError;
     }
-  }, [supabase, user, session, ensureOrganisationContext]);
+  }, [supabase, user, session, resolvedScope, isSuperAdmin]);
 
   const getCurrentOrganisationId = useCallback((): string => {
+    if (isSuperAdmin) {
+      // For super admins, try to get org from resolved scope or selectedOrganisation
+      return resolvedScope?.organisationId || selectedOrganisation?.id || '';
+    }
+
     validateContext();
-    const currentOrg = ensureOrganisationContext();
-    return currentOrg.id;
-  }, [validateContext, ensureOrganisationContext]);
+    return resolvedScope?.organisationId || '';
+  }, [validateContext, resolvedScope, selectedOrganisation, isSuperAdmin]);
 
   // Set organisation context in database session
-  const setOrganisationContextInSession = useCallback(async (organisationId: string): Promise<void> => {
-    if (!supabase) {
-      throw new Error('No Supabase client available') as OrganisationSecurityError;
+  const setOrganisationContextInSession = useCallback(async (organisationId?: string): Promise<void> => {
+    if (!supabase || !organisationId) {
+      return;
     }
 
     await setOrganisationContext(supabase, organisationId);
@@ -199,7 +215,8 @@ export function useSecureDataAccess(): SecureDataAccessReturn {
     } = {}
   ): Promise<T[]> => {
     validateContext();
-    const organisationId = getCurrentOrganisationId();
+    const bypassOrganisationFilter = isSuperAdmin;
+    const organisationId = bypassOrganisationFilter ? undefined : getCurrentOrganisationId();
 
     // Set organisation context in database session
     await setOrganisationContextInSession(organisationId);
@@ -210,6 +227,9 @@ export function useSecureDataAccess(): SecureDataAccessReturn {
       .select(columns);
 
     // Add organisation filter only if table has organisation_id column
+    // Defense in depth strategy:
+    // - RLS policies are the primary security layer (cannot be bypassed)
+    // - Application-level filtering adds an additional layer of protection
     const tablesWithOrganisation = [
       'event',  'organisation_settings',
       'rbac_event_app_roles', 'rbac_organisation_roles',
@@ -226,11 +246,22 @@ export function useSecureDataAccess(): SecureDataAccessReturn {
       'form_contexts', 'form_field_config', 'form_fields',
       'cake_delivery', 'cake_diettype', 'cake_diner', 'cake_dish', 'cake_item', 
       'cake_logistics', 'cake_mealplan', 'cake_package', 'cake_recipe', 'cake_supplier', 
-      'cake_supply', 'cake_unit', 'event_app_access', 'base_application', 'base_questions'
+      'cake_supply', 'cake_unit', 'event_app_access', 'base_application', 'base_questions',
+      // rbac_user_profiles has organisation_id but uses conditional filtering
+      'rbac_user_profiles'
     ];
     
-    if (tablesWithOrganisation.includes(table)) {
-      query = query.eq('organisation_id', organisationId);
+    // Apply organisation filtering based on table and super admin status
+    if (!bypassOrganisationFilter && organisationId && tablesWithOrganisation.includes(table)) {
+      // For rbac_user_profiles: Super admins see all (no filter), non-super-admins get filtered (defense in depth)
+      // For other tables: Always apply filter
+      if (table === 'rbac_user_profiles' && isSuperAdmin) {
+        // Super admin: No org filter - RLS handles access control
+        // This allows super admins to see all users across all organisations
+      } else {
+        // Non-super-admin OR other tables: Apply org filter as defense in depth
+        query = query.eq('organisation_id', organisationId);
+      }
     }
 
     // Apply additional filters
@@ -272,23 +303,26 @@ export function useSecureDataAccess(): SecureDataAccessReturn {
     recordDataAccess(table, 'read', true, `SELECT ${columns} FROM ${table}`, filters);
 
     return (data as T[]) || [];
-  }, [validateContext, getCurrentOrganisationId, setOrganisationContextInSession, supabase]);
+  }, [validateContext, getCurrentOrganisationId, setOrganisationContextInSession, supabase, isSuperAdmin]);
 
   const secureInsert = useCallback(async <T = any>(
     table: string,
     data: Record<string, any>
   ): Promise<T> => {
     validateContext();
-    const organisationId = getCurrentOrganisationId();
+    const bypassOrganisationFilter = isSuperAdmin;
+    const organisationId = bypassOrganisationFilter ? undefined : getCurrentOrganisationId();
 
     // Set organisation context in database session
     await setOrganisationContextInSession(organisationId);
 
     // Ensure organisation_id is set
-    const secureData = {
-      ...data,
-      organisation_id: organisationId
-    };
+    const secureData = bypassOrganisationFilter
+      ? { ...data }
+      : {
+          ...data,
+          organisation_id: organisationId
+        };
 
     const { data: insertData, error } = await supabase!
       .from(table)
@@ -302,7 +336,7 @@ export function useSecureDataAccess(): SecureDataAccessReturn {
     }
 
     return insertData as T;
-  }, [validateContext, getCurrentOrganisationId, setOrganisationContextInSession, supabase]);
+  }, [validateContext, getCurrentOrganisationId, setOrganisationContextInSession, supabase, isSuperAdmin]);
 
   const secureUpdate = useCallback(async <T = any>(
     table: string,
@@ -310,7 +344,8 @@ export function useSecureDataAccess(): SecureDataAccessReturn {
     filters: Record<string, any>
   ): Promise<T[]> => {
     validateContext();
-    const organisationId = getCurrentOrganisationId();
+    const bypassOrganisationFilter = isSuperAdmin;
+    const organisationId = bypassOrganisationFilter ? undefined : getCurrentOrganisationId();
 
     // Set organisation context in database session
     await setOrganisationContextInSession(organisationId);
@@ -333,7 +368,7 @@ export function useSecureDataAccess(): SecureDataAccessReturn {
       'cake_meal', 'cake_mealtype', 'pace_person', 'pace_member'
     ];
     
-    if (tablesWithOrganisation.includes(table)) {
+    if (!bypassOrganisationFilter && organisationId && tablesWithOrganisation.includes(table)) {
       query = query.eq('organisation_id', organisationId);
     }
 
@@ -352,14 +387,15 @@ export function useSecureDataAccess(): SecureDataAccessReturn {
     }
 
     return (updateData as T[]) || [];
-  }, [validateContext, getCurrentOrganisationId, setOrganisationContextInSession, supabase]);
+  }, [validateContext, getCurrentOrganisationId, setOrganisationContextInSession, supabase, isSuperAdmin]);
 
   const secureDelete = useCallback(async (
     table: string,
     filters: Record<string, any>
   ): Promise<void> => {
     validateContext();
-    const organisationId = getCurrentOrganisationId();
+    const bypassOrganisationFilter = isSuperAdmin;
+    const organisationId = bypassOrganisationFilter ? undefined : getCurrentOrganisationId();
 
     // Set organisation context in database session
     await setOrganisationContextInSession(organisationId);
@@ -389,7 +425,7 @@ export function useSecureDataAccess(): SecureDataAccessReturn {
       'cake_supply', 'cake_unit', 'event_app_access', 'base_application', 'base_questions'
     ];
     
-    if (tablesWithOrganisation.includes(table)) {
+    if (!bypassOrganisationFilter && organisationId && tablesWithOrganisation.includes(table)) {
       query = query.eq('organisation_id', organisationId);
     }
 
@@ -406,14 +442,15 @@ export function useSecureDataAccess(): SecureDataAccessReturn {
       logger.error('useSecureDataAccess', 'Delete failed', { table, filters, error });
       throw error;
     }
-  }, [validateContext, getCurrentOrganisationId, setOrganisationContextInSession, supabase]);
+  }, [validateContext, getCurrentOrganisationId, setOrganisationContextInSession, supabase, isSuperAdmin]);
 
   const secureRpc = useCallback(async <T = any>(
     functionName: string,
     params: Record<string, any> = {}
   ): Promise<T> => {
     validateContext();
-    const organisationId = getCurrentOrganisationId();
+    const bypassOrganisationFilter = isSuperAdmin;
+    const organisationId = bypassOrganisationFilter ? undefined : getCurrentOrganisationId();
 
     // Set organisation context in database session
     await setOrganisationContextInSession(organisationId);
@@ -477,8 +514,13 @@ export function useSecureDataAccess(): SecureDataAccessReturn {
       secureParams.p_user_id = user.id;
     }
     
-    // Add organisation_id parameter
-    secureParams[paramName] = organisationId;
+    // Add organisation_id parameter when needed
+    if (!bypassOrganisationFilter && organisationId) {
+      secureParams[paramName] = organisationId;
+    } else if (organisationId && !(paramName in params)) {
+      // Default to the current organisation if caller didn't specify one
+      secureParams[paramName] = organisationId;
+    }
     
     // Add p_event_id if function needs it and event is selected
     // CRITICAL: This must be added AFTER organisation_id but BEFORE caller params
@@ -505,7 +547,7 @@ export function useSecureDataAccess(): SecureDataAccessReturn {
     }
 
     return data as T;
-  }, [validateContext, getCurrentOrganisationId, setOrganisationContextInSession, supabase, selectedEvent?.event_id, user?.id]);
+  }, [validateContext, getCurrentOrganisationId, setOrganisationContextInSession, supabase, selectedEvent?.event_id, user?.id, isSuperAdmin]);
 
   // NEW: Phase 1 - Enhanced Security Features
   const [dataAccessHistory, setDataAccessHistory] = useState<DataAccessRecord[]>([]);
@@ -570,12 +612,13 @@ export function useSecureDataAccess(): SecureDataAccessReturn {
     filters?: Record<string, any>
   ) => {
     if (!isAuditLogEnabled || !user?.id) return;
-    
+    const auditOrganisationId = getCurrentOrganisationId() || 'super-admin-bypass';
+
     const record: DataAccessRecord = {
       table,
       operation,
       userId: user.id,
-      organisationId: getCurrentOrganisationId(),
+      organisationId: auditOrganisationId,
       allowed,
       timestamp: new Date().toISOString(),
       query,
@@ -592,7 +635,7 @@ export function useSecureDataAccess(): SecureDataAccessReturn {
         table,
         operation,
         userId: user.id,
-        organisationId: getCurrentOrganisationId(),
+        organisationId: auditOrganisationId,
         timestamp: new Date().toISOString()
       });
     }