npm - @nextblock-cms/db - Versions diffs - 0.2.10 → 0.2.11 - Mend

@nextblock-cms/db 0.2.10 → 0.2.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (86) hide show

package/supabase/migrations/20250526175359_fix_languages_select_rls_v9.sql ADDED Viewed

@@ -0,0 +1,81 @@
+-- supabase/migrations/YYYYMMDDHHMMSS_fix_languages_select_rls_v9.sql
+BEGIN;
+-- == LANGUAGES ==
+-- Drop the specific authenticated non-admin policy
+DROP POLICY IF EXISTS "languages_authenticated_non_admin_can_read" ON public.languages;
+DROP POLICY IF EXISTS "languages_user_can_read" ON public.languages; -- If this was the one from v5 attempt
+-- Create a simpler, broader SELECT policy for all authenticated users for the languages table.
+-- The "multiple_permissive_policies" warning for languages was between "languages_admin_management" (FOR ALL)
+-- and "languages_authenticated_non_admin_can_read".
+-- If "languages_admin_management" is FOR ALL, it handles SELECT for admins.
+-- We need a SELECT policy for authenticated users who are NOT admins.
+-- Option 1: Keep admin SELECT via FOR ALL, and add specific for USER/WRITER
+-- (This is what was in _v6.sql basically and was still warned by linter, but might be a linter quirk)
+-- CREATE POLICY "languages_user_writer_can_read" ON public.languages
+--   FOR SELECT TO authenticated
+--   USING (public.get_current_user_role() IN ('USER', 'WRITER'));
+-- Option 2: Make the "publicly readable" policy truly public for SELECT FOR ALL ROLES,
+-- and ensure the admin management policy is ONLY for writes. This was the _v7.sql approach which failed syntax.
+-- Let's retry the _v7 approach for *just* the languages table, as it's the most robust against the linter.
+-- We need to be absolutely sure about the FOR INSERT, UPDATE, DELETE syntax.
+-- If that syntax is the absolute blocker, we're in a tough spot.
+-- Assuming the error "JSON object requested, multiple (or no) rows returned" means NO rows were returned,
+-- it means NO select policy was satisfied for the 'languages' table by the role executing getNavigationMenu.
+-- Let's make languages readable by any authenticated user, plus the existing anon policy.
+-- This might re-trigger the "multiple_permissive_policies" if the admin FOR ALL policy is still active,
+-- but it should fix the immediate "0 rows returned" error.
+CREATE POLICY "languages_authenticated_can_read" ON public.languages
+  FOR SELECT
+  TO authenticated
+  USING (true); -- Any authenticated user can read languages.
+COMMENT ON POLICY "languages_authenticated_can_read" ON public.languages IS 'Any authenticated user can read languages.';
+-- "languages_anon_can_read" (FOR SELECT TO anon USING (true)) should still be active and is fine.
+-- "languages_admin_management" (FOR ALL TO authenticated USING role = ADMIN) is assumed to be active.
+-- This setup WILL cause a "multiple_permissive_policies" warning for an authenticated ADMIN
+-- because "languages_authenticated_can_read" (USING true) and the SELECT part of
+-- "languages_admin_management" (USING role=ADMIN) will both apply.
+-- The root cause of the "0 rows returned" is that *neither* of the v6 policies for authenticated
+-- was being met by the server-side client running getNavigationMenu, OR the client was anon
+-- and "languages_anon_can_read" was somehow not effective or missing.
+-- To ensure the `getNavigationMenu` function works for ANY role calling it:
+-- Let's reinstate a very simple public read policy for languages.
+-- This was the original policy from `20250514143016_setup_languages_table.sql`:
+-- `CREATE POLICY "languages_are_publicly_readable" ON public.languages FOR SELECT TO anon, authenticated USING (true);`
+-- This was later split.
+-- Cleanest approach to fix the immediate error, and then we can re-evaluate the linter:
+-- Ensure there's one policy that makes languages readable to everyone for SELECT.
+DROP POLICY IF EXISTS "languages_anon_can_read" ON public.languages;
+DROP POLICY IF EXISTS "languages_user_can_read" ON public.languages;
+DROP POLICY IF EXISTS "languages_authenticated_non_admin_can_read" ON public.languages;
+DROP POLICY IF EXISTS "languages_authenticated_can_read" ON public.languages;
+DROP POLICY IF EXISTS "languages_are_publicly_readable_by_all" ON public.languages; -- from _v2
+DROP POLICY IF EXISTS "languages_are_publicly_readable" ON public.languages; -- from original
+CREATE POLICY "languages_are_publicly_readable_for_all_roles" ON public.languages
+  FOR SELECT
+  USING (true); -- This allows 'anon' and all types of 'authenticated' users to read.
+COMMENT ON POLICY "languages_are_publicly_readable_for_all_roles" ON public.languages IS 'All roles (anon, authenticated) can read from the languages table.';
+-- The "languages_admin_management" policy (FOR ALL TO authenticated USING role=ADMIN) will still exist.
+-- This WILL re-introduce the "multiple_permissive_policies" warning for `languages` for `authenticated SELECT`,
+-- because an authenticated ADMIN will match both this new public read policy and their FOR ALL management policy.
+-- However, it should fix your immediate "Error fetching language ID" error.
+-- If the `FOR INSERT, UPDATE, DELETE` syntax was the true blocker, and you *must* use `FOR ALL` for admin management,
+-- then the previous "mutually exclusive USING clause" approach was logically correct but the linter didn't like it.
+-- The above `languages_are_publicly_readable_for_all_roles` is the simplest way to ensure reads, at the cost of a linter warning.
+COMMIT;

package/supabase/migrations/20250526182940_fix_nav_read_policy_v10.sql ADDED Viewed

@@ -0,0 +1,27 @@
+-- supabase/migrations/YYYYMMDDHHMMSS_fix_nav_read_policy_v10.sql
+BEGIN;
+-- == NAVIGATION ITEMS ==
+-- Drop the existing SELECT policy for authenticated non-admins, as we'll replace it with a broader one.
+DROP POLICY IF EXISTS "nav_items_authenticated_non_admin_can_read" ON public.navigation_items;
+-- Also drop older name if it somehow exists from v5 attempt
+DROP POLICY IF EXISTS "nav_items_user_can_read" ON public.navigation_items;
+-- Create a policy that allows ALL authenticated users to read navigation items.
+-- This will cover USER, WRITER, and ADMIN roles for SELECT.
+CREATE POLICY "nav_items_authenticated_can_read" ON public.navigation_items
+  FOR SELECT
+  TO authenticated
+  USING (true); -- Any authenticated user can read all navigation items.
+COMMENT ON POLICY "nav_items_authenticated_can_read" ON public.navigation_items IS 'All authenticated users (USER, WRITER, ADMIN) can read navigation items.';
+-- The following policies are assumed to be correctly in place and should remain:
+-- 1. "nav_items_anon_can_read" ON public.navigation_items FOR SELECT TO anon USING (true);
+-- 2. "nav_items_admin_can_insert" ON public.navigation_items FOR INSERT TO authenticated WITH CHECK (public.get_current_user_role() = 'ADMIN');
+-- 3. "nav_items_admin_can_update" ON public.navigation_items FOR UPDATE TO authenticated USING (public.get_current_user_role() = 'ADMIN') WITH CHECK (public.get_current_user_role() = 'ADMIN');
+-- 4. "nav_items_admin_can_delete" ON public.navigation_items FOR DELETE TO authenticated USING (public.get_current_user_role() = 'ADMIN');
+COMMIT;

package/supabase/migrations/20250526183239_fix_posts_read_rls_v11.sql ADDED Viewed

@@ -0,0 +1,59 @@
+-- supabase/migrations/YYYYMMDDHHMMSS_fix_posts_read_rls_v11.sql
+BEGIN;
+-- == POSTS ==
+-- Drop the existing specific SELECT policy for USER role if it exists
+DROP POLICY IF EXISTS "posts_user_role_can_read" ON public.posts;
+-- Drop any older variations that might exist from previous attempts
+DROP POLICY IF EXISTS "posts_user_authenticated_access" ON public.posts;
+DROP POLICY IF EXISTS "posts_authenticated_access" ON public.posts;
+-- Policy for anonymous users to read published posts (should already exist, ensure it's correct)
+DROP POLICY IF EXISTS "posts_anon_can_read_published" ON public.posts;
+CREATE POLICY "posts_anon_can_read_published" ON public.posts
+  FOR SELECT
+  TO anon
+  USING (status = 'published' AND (published_at IS NULL OR published_at <= now()));
+COMMENT ON POLICY "posts_anon_can_read_published" ON public.posts IS 'Anonymous users can read published posts.';
+-- Policy for ALL authenticated users to read PUBLISHED posts.
+-- This covers USER, WRITER, and ADMIN for viewing public, published content.
+CREATE POLICY "posts_authenticated_can_read_published" ON public.posts
+  FOR SELECT
+  TO authenticated
+  USING (status = 'published' AND (published_at IS NULL OR published_at <= now()));
+COMMENT ON POLICY "posts_authenticated_can_read_published" ON public.posts IS 'All authenticated users can read published posts.';
+-- Policy for authenticated users (authors) to read their OWN DRAFTS/non-published posts.
+-- This is important for CMS previews or if authors can view their non-live content.
+DROP POLICY IF EXISTS "posts_authors_can_read_own_drafts" ON public.posts;
+CREATE POLICY "posts_authors_can_read_own_drafts" ON public.posts
+  FOR SELECT
+  TO authenticated
+  USING (author_id = (SELECT auth.uid()) AND status <> 'published');
+COMMENT ON POLICY "posts_authors_can_read_own_drafts" ON public.posts IS 'Authenticated authors can read their own non-published posts.';
+-- The admin/writer management policies for INSERT, UPDATE, DELETE remain as they are (write-only).
+-- e.g., "posts_admin_writer_can_insert", "posts_admin_writer_can_update", "posts_admin_writer_can_delete"
+-- These do NOT provide SELECT access.
+-- Optional: If you need ADMINs/WRITERs to be able to SELECT *ALL* posts (including drafts of others)
+-- for CMS management purposes (e.g., in the /cms/posts listing page), you would need an
+-- additional policy or ensure their management policy was FOR ALL.
+-- However, for public site rendering (getPostDataBySlug), the above should be sufficient.
+-- If your CMS listing page for posts also breaks for ADMIN/WRITER, you might need:
+-- CREATE POLICY "posts_admin_writer_can_read_all_for_cms" ON public.posts
+--   FOR SELECT
+--   TO authenticated
+--   USING (public.get_current_user_role() IN ('ADMIN', 'WRITER'));
+-- This WILL re-introduce a "multiple_permissive_policies" warning for ADMIN/WRITER on SELECT,
+-- as they would match this AND "posts_authenticated_can_read_published".
+-- For now, let's stick to fixing public reads. The CMS read access might be handled differently or might need its own policy.
+COMMIT;

package/supabase/migrations/20250526183746_fix_media_select_rls_v12.sql ADDED Viewed

@@ -0,0 +1,39 @@
+-- supabase/migrations/YYYYMMDDHHMMSS_fix_media_select_rls_v12.sql
+BEGIN;
+-- == MEDIA ==
+-- Drop the existing specific SELECT policy for the 'USER' role,
+-- as we will replace it with a broader one for all authenticated users.
+DROP POLICY IF EXISTS "media_user_role_can_read" ON public.media;
+-- Drop any older variations that might exist from previous attempts if their names were different
+DROP POLICY IF EXISTS "media_user_can_read" ON public.media;
+DROP POLICY IF EXISTS "media_readable_by_anon_and_non_privileged_users" ON public.media;
+-- Policy for anonymous users to read media (ensure this is in place and correct)
+-- This policy allows anyone to read any media record if no other policy restricts them.
+-- This is generally desired if your R2 bucket URLs are guessable or if images are meant to be public.
+DROP POLICY IF EXISTS "media_anon_can_read" ON public.media; -- From _v6/_v7 logic
+DROP POLICY IF EXISTS "media_is_publicly_readable_by_all" ON public.media; -- From _v8 logic
+DROP POLICY IF EXISTS "media_is_readable_by_all" ON public.media; -- Older name
+DROP POLICY IF EXISTS "media_are_publicly_readable" ON public.media; -- Older name
+CREATE POLICY "media_public_can_read" ON public.media
+  FOR SELECT
+  USING (true); -- Allows both 'anon' and 'authenticated' roles to read by default
+COMMENT ON POLICY "media_public_can_read" ON public.media IS 'All users (anonymous and authenticated) can read media records. This is the general read access.';
+-- The admin/writer management policies for INSERT, UPDATE, DELETE remain as they are (write-only).
+-- e.g., "media_admin_writer_can_insert", "media_admin_writer_can_update", "media_admin_writer_can_delete"
+-- These do NOT provide SELECT access.
+-- With the "media_public_can_read" policy USING (true), all authenticated users (USER, WRITER, ADMIN)
+-- will have SELECT access. This should resolve the error when fetching feature_image_id details
+-- and allow images to be displayed.
+-- This will also mean the linter should not complain about "multiple permissive policies for authenticated SELECT"
+-- because the management policies are write-only, and there's now one clear "public read" policy for SELECT.
+COMMIT;

package/supabase/migrations/20250526184205_consolidate_content_read_rls_v13.sql ADDED Viewed

@@ -0,0 +1,61 @@
+-- supabase/migrations/YYYYMMDDHHMMSS_consolidate_content_read_rls_v13.sql
+BEGIN;
+-- == POSTS ==
+-- Drop the existing separate SELECT policies for authenticated users on posts
+DROP POLICY IF EXISTS "posts_authenticated_can_read_published" ON public.posts;
+DROP POLICY IF EXISTS "posts_authors_can_read_own_drafts" ON public.posts;
+-- Drop any older variations that might exist
+DROP POLICY IF EXISTS "posts_user_role_can_read" ON public.posts;
+DROP POLICY IF EXISTS "posts_user_authenticated_access" ON public.posts;
+DROP POLICY IF EXISTS "posts_authenticated_access" ON public.posts;
+-- Create a single, comprehensive SELECT policy for authenticated users on posts
+CREATE POLICY "posts_authenticated_comprehensive_read" ON public.posts
+  FOR SELECT
+  TO authenticated
+  USING (
+    -- Condition 1: Any authenticated user can read PUBLISHED posts
+    (status = 'published' AND (published_at IS NULL OR published_at <= now())) OR
+    -- Condition 2: Authenticated authors can read their OWN NON-PUBLISHED posts
+    (author_id = (SELECT auth.uid()) AND status <> 'published') OR
+    -- Condition 3: ADMINs and WRITERs can read ALL posts (any status)
+    (public.get_current_user_role() IN ('ADMIN', 'WRITER'))
+  );
+COMMENT ON POLICY "posts_authenticated_comprehensive_read" ON public.posts IS 'Handles all SELECT scenarios for authenticated users: published for all, own drafts for authors, and all posts for admins/writers.';
+-- "posts_anon_can_read_published" (FOR SELECT TO anon) is assumed to be correct and in place.
+-- Admin/Writer management policies (FOR INSERT, UPDATE, DELETE) are assumed to be correct and in place.
+-- == PAGES ==
+-- Drop the existing separate SELECT policies for authenticated users on pages
+DROP POLICY IF EXISTS "pages_authenticated_can_read_published" ON public.pages; -- If created in a previous step
+DROP POLICY IF EXISTS "pages_authors_can_read_own_drafts" ON public.pages; -- If created
+DROP POLICY IF EXISTS "pages_user_role_can_read" ON public.pages;
+DROP POLICY IF EXISTS "pages_user_authenticated_access" ON public.pages;
+DROP POLICY IF EXISTS "pages_authenticated_access" ON public.pages;
+-- Create a single, comprehensive SELECT policy for authenticated users on pages
+CREATE POLICY "pages_authenticated_comprehensive_read" ON public.pages
+  FOR SELECT
+  TO authenticated
+  USING (
+    -- Condition 1: Any authenticated user can read PUBLISHED pages
+    (status = 'published') OR
+    -- Condition 2: Authenticated authors can read their OWN NON-PUBLISHED pages
+    (author_id = (SELECT auth.uid()) AND status <> 'published') OR
+    -- Condition 3: ADMINs and WRITERs can read ALL pages (any status)
+    (public.get_current_user_role() IN ('ADMIN', 'WRITER'))
+  );
+COMMENT ON POLICY "pages_authenticated_comprehensive_read" ON public.pages IS 'Handles all SELECT scenarios for authenticated users: published for all, own drafts for authors, and all pages for admins/writers.';
+-- "pages_anon_can_read_published" (FOR SELECT TO anon) is assumed to be correct and in place.
+-- Admin/Writer management policies (FOR INSERT, UPDATE, DELETE) are assumed to be correct and in place.
+COMMIT;

package/supabase/migrations/20250526185854_optimize_indexes.sql ADDED Viewed

@@ -0,0 +1,47 @@
+-- supabase/migrations/YYYYMMDDHHMMSS_optimize_indexes.sql
+-- (Replace YYYYMMDDHHMMSS with the actual timestamp of this migration file, e.g., 20250526185854)
+BEGIN;
+-- Add indexes for foreign keys in the 'public.blocks' table
+CREATE INDEX IF NOT EXISTS idx_blocks_language_id ON public.blocks(language_id);
+COMMENT ON INDEX public.idx_blocks_language_id IS 'Index for the foreign key blocks_language_id_fkey on public.blocks.';
+CREATE INDEX IF NOT EXISTS idx_blocks_page_id ON public.blocks(page_id);
+COMMENT ON INDEX public.idx_blocks_page_id IS 'Index for the foreign key blocks_page_id_fkey on public.blocks.';
+CREATE INDEX IF NOT EXISTS idx_blocks_post_id ON public.blocks(post_id);
+COMMENT ON INDEX public.idx_blocks_post_id IS 'Index for the foreign key blocks_post_id_fkey on public.blocks.';
+-- Add index for foreign key in the 'public.media' table
+CREATE INDEX IF NOT EXISTS idx_media_uploader_id ON public.media(uploader_id);
+COMMENT ON INDEX public.idx_media_uploader_id IS 'Index for the foreign key media_uploader_id_fkey on public.media.';
+-- Add indexes for foreign keys in the 'public.navigation_items' table
+CREATE INDEX IF NOT EXISTS idx_navigation_items_language_id ON public.navigation_items(language_id);
+COMMENT ON INDEX public.idx_navigation_items_language_id IS 'Index for the foreign key navigation_items_language_id_fkey on public.navigation_items.';
+CREATE INDEX IF NOT EXISTS idx_navigation_items_page_id ON public.navigation_items(page_id);
+COMMENT ON INDEX public.idx_navigation_items_page_id IS 'Index for the foreign key navigation_items_page_id_fkey on public.navigation_items.';
+CREATE INDEX IF NOT EXISTS idx_navigation_items_parent_id ON public.navigation_items(parent_id);
+COMMENT ON INDEX public.idx_navigation_items_parent_id IS 'Index for the foreign key navigation_items_parent_id_fkey on public.navigation_items.';
+-- Add index for foreign key in the 'public.pages' table
+CREATE INDEX IF NOT EXISTS idx_pages_author_id ON public.pages(author_id);
+COMMENT ON INDEX public.idx_pages_author_id IS 'Index for the foreign key pages_author_id_fkey on public.pages.';
+-- Add indexes for foreign keys in the 'public.posts' table
+CREATE INDEX IF NOT EXISTS idx_posts_feature_image_id ON public.posts(feature_image_id);
+COMMENT ON INDEX public.idx_posts_feature_image_id IS 'Index for the foreign key fk_feature_image on public.posts.';
+CREATE INDEX IF NOT EXISTS idx_posts_author_id ON public.posts(author_id);
+COMMENT ON INDEX public.idx_posts_author_id IS 'Index for the foreign key posts_author_id_fkey on public.posts.';
+-- Remove unused index in 'public.navigation_items' table
+-- The linter identified 'idx_navigation_items_translation_group_id' as unused.
+-- This index was created in migration 20250520171900_add_translation_group_to_nav_items.sql
+DROP INDEX IF EXISTS public.idx_navigation_items_translation_group_id;
+-- The COMMENT ON for the dropped index has been removed to prevent the error.
+COMMIT;

package/supabase/migrations/20250526190900_debug_blocks_rls.sql ADDED Viewed

@@ -0,0 +1,56 @@
+-- supabase/migrations/YYYYMMDDHHMMSS_debug_blocks_rls.sql
+BEGIN;
+-- Drop the more specific separated write policies for blocks from v8
+DROP POLICY IF EXISTS "blocks_admin_writer_can_insert" ON public.blocks;
+DROP POLICY IF EXISTS "blocks_admin_writer_can_update" ON public.blocks;
+DROP POLICY IF EXISTS "blocks_admin_writer_can_delete" ON public.blocks;
+-- Reinstate a broad "FOR ALL" policy for ADMINS and WRITERS on blocks
+-- This is similar to what was effectively in place before v8 for admin/writer management.
+CREATE POLICY "blocks_admin_writer_management_reinstated" ON public.blocks
+  FOR ALL -- Covers SELECT, INSERT, UPDATE, DELETE
+  TO authenticated
+  USING (public.get_current_user_role() IN ('ADMIN', 'WRITER'))
+  WITH CHECK (public.get_current_user_role() IN ('ADMIN', 'WRITER'));
+COMMENT ON POLICY "blocks_admin_writer_management_reinstated" ON public.blocks IS 'Reinstated FOR ALL policy for ADMIN/WRITER to manage blocks. This may cause linter warnings for SELECT overlaps if other SELECT policies exist but is for debugging block creation.';
+-- Ensure SELECT policies for other roles are still in place and don't conflict in a breaking way.
+-- The policies "blocks_anon_can_read_published" and "blocks_user_role_can_read_published_parents" (from v5/v7) handle reads for anon and USERs.
+-- "blocks_anon_can_read_published" (FOR SELECT TO anon USING (...))
+-- "blocks_user_role_can_read_published_parents" (FOR SELECT TO authenticated USING (public.get_current_user_role() = 'USER' AND ...))
+-- Let's re-assert the anon read policy to be sure it's correct, as it was defined early on.
+DROP POLICY IF EXISTS "blocks_are_readable_if_parent_is_published" ON public.blocks; -- Original name from 20250514171553
+DROP POLICY IF EXISTS "blocks_anon_can_read_published" ON public.blocks; -- Renamed in 20250526153321
+CREATE POLICY "blocks_anon_can_read_published_content" ON public.blocks
+  FOR SELECT
+  TO anon
+  USING (
+    (page_id IS NOT NULL AND EXISTS(SELECT 1 FROM public.pages p WHERE p.id = blocks.page_id AND p.status = 'published')) OR
+    (post_id IS NOT NULL AND EXISTS(SELECT 1 FROM public.posts pt WHERE pt.id = blocks.post_id AND pt.status = 'published' AND (pt.published_at IS NULL OR pt.published_at <= now())))
+  );
+COMMENT ON POLICY "blocks_anon_can_read_published_content" ON public.blocks IS 'Anonymous users can read blocks of published parent pages/posts.';
+-- Re-assert the USER role SELECT policy, ensuring it only applies to USER.
+DROP POLICY IF EXISTS "blocks_authenticated_user_access" ON public.blocks; -- From v4
+DROP POLICY IF EXISTS "blocks_user_role_can_read_published_parents" ON public.blocks; -- From v5/v7
+CREATE POLICY "blocks_auth_users_can_read_published_parents" ON public.blocks
+  FOR SELECT
+  TO authenticated
+  USING (
+    (public.get_current_user_role() = 'USER') AND -- Crucially, only applies to 'USER' role
+    (
+      (page_id IS NOT NULL AND EXISTS(SELECT 1 FROM public.pages p WHERE p.id = blocks.page_id AND p.status = 'published')) OR
+      (post_id IS NOT NULL AND EXISTS(SELECT 1 FROM public.posts pt WHERE pt.id = blocks.post_id AND pt.status = 'published' AND (pt.published_at IS NULL OR pt.published_at <= now())))
+    )
+  );
+COMMENT ON POLICY "blocks_auth_users_can_read_published_parents" ON public.blocks IS 'Authenticated USERS can read blocks of published parents. Admin/Writer SELECT is handled by their management policy.';
+COMMIT;

package/supabase/migrations/20250526191217_consolidate_blocks_select_rls.sql ADDED Viewed

@@ -0,0 +1,79 @@
+-- supabase/migrations/YYYYMMDDHHMMSS_consolidate_blocks_select_rls.sql
+-- (Replace YYYYMMDDHHMMSS with the actual timestamp of this migration file)
+BEGIN;
+-- Drop existing policies for 'public.blocks' that will be replaced or refined.
+-- This includes the broad "FOR ALL" policy and the specific "USER" SELECT policy
+-- created in the previous debug migration.
+DROP POLICY IF EXISTS "blocks_admin_writer_management_reinstated" ON public.blocks;
+DROP POLICY IF EXISTS "blocks_auth_users_can_read_published_parents" ON public.blocks;
+-- The "blocks_anon_can_read_published_content" policy can remain as it targets 'anon'
+-- and does not conflict with 'authenticated' role policies for the linter's warning.
+-- However, if you wish to have a completely clean slate before adding the consolidated one,
+-- you can drop and re-add it. For this exercise, we'll assume it's fine and already specific.
+-- If it was named "blocks_anon_can_read_published" from 20250526153321_optimize_rls_policies.sql:
+-- DROP POLICY IF EXISTS "blocks_anon_can_read_published" ON public.blocks;
+-- Or if it was "blocks_are_readable_if_parent_is_published" from 20250514171553_create_blocks_table.sql:
+-- DROP POLICY IF EXISTS "blocks_are_readable_if_parent_is_published" ON public.blocks;
+-- Re-creating the anon policy for clarity and to ensure it's exactly as needed:
+DROP POLICY IF EXISTS "blocks_anon_can_read_published_content" ON public.blocks; -- From debug migration
+DROP POLICY IF EXISTS "blocks_anon_can_read_published" ON public.blocks; -- From optimize_rls_policies
+DROP POLICY IF EXISTS "blocks_are_readable_if_parent_is_published" ON public.blocks; -- From initial table creation
+CREATE POLICY "blocks_anon_can_read_published_blocks" ON public.blocks
+  FOR SELECT
+  TO anon
+  USING (
+    (page_id IS NOT NULL AND EXISTS(SELECT 1 FROM public.pages p WHERE p.id = blocks.page_id AND p.status = 'published')) OR
+    (post_id IS NOT NULL AND EXISTS(SELECT 1 FROM public.posts pt WHERE pt.id = blocks.post_id AND pt.status = 'published' AND (pt.published_at IS NULL OR pt.published_at <= now())))
+  );
+COMMENT ON POLICY "blocks_anon_can_read_published_blocks" ON public.blocks IS 'Anonymous users can read blocks of published parent content.';
+-- Create a single, comprehensive SELECT policy for ALL authenticated users on blocks
+CREATE POLICY "blocks_authenticated_comprehensive_select" ON public.blocks
+  FOR SELECT
+  TO authenticated
+  USING (
+    (
+      -- Condition for ADMIN or WRITER: they can read ALL blocks
+      (SELECT public.get_current_user_role()) IN ('ADMIN', 'WRITER')
+    ) OR
+    (
+      -- Condition for USER: they can read blocks of published parents
+      ((SELECT public.get_current_user_role()) = 'USER') AND
+      (
+        (page_id IS NOT NULL AND EXISTS(SELECT 1 FROM public.pages p WHERE p.id = blocks.page_id AND p.status = 'published')) OR
+        (post_id IS NOT NULL AND EXISTS(SELECT 1 FROM public.posts pt WHERE pt.id = blocks.post_id AND pt.status = 'published' AND (pt.published_at IS NULL OR pt.published_at <= now())))
+      )
+    )
+  );
+COMMENT ON POLICY "blocks_authenticated_comprehensive_select" ON public.blocks IS 'Comprehensive SELECT policy for authenticated users on the blocks table, differentiating access by role (ADMIN/WRITER see all, USER sees blocks of published parents).';
+-- Re-add the specific management policies for INSERT, UPDATE, DELETE for ADMIN/WRITER.
+-- These only have WITH CHECK (for INSERT/UPDATE) or USING (for DELETE/UPDATE) based on role.
+-- These were the ones created in 20250526174710_separate_write_policies_v8.sql and are fine.
+CREATE POLICY "blocks_admin_writer_can_insert" ON public.blocks
+  FOR INSERT
+  TO authenticated
+  WITH CHECK ((SELECT public.get_current_user_role()) IN ('ADMIN', 'WRITER'));
+COMMENT ON POLICY "blocks_admin_writer_can_insert" ON public.blocks IS 'Admins/Writers can insert blocks.';
+CREATE POLICY "blocks_admin_writer_can_update" ON public.blocks
+  FOR UPDATE
+  TO authenticated
+  USING ((SELECT public.get_current_user_role()) IN ('ADMIN', 'WRITER')) -- Who can be targeted by an update
+  WITH CHECK ((SELECT public.get_current_user_role()) IN ('ADMIN', 'WRITER')); -- What rows can be created/modified by them
+COMMENT ON POLICY "blocks_admin_writer_can_update" ON public.blocks IS 'Admins/Writers can update blocks.';
+CREATE POLICY "blocks_admin_writer_can_delete" ON public.blocks
+  FOR DELETE
+  TO authenticated
+  USING ((SELECT public.get_current_user_role()) IN ('ADMIN', 'WRITER'));
+COMMENT ON POLICY "blocks_admin_writer_can_delete" ON public.blocks IS 'Admins/Writers can delete blocks.';
+COMMIT;

package/supabase/migrations/20250526192822_fix_handle_languages_update_search_path.sql ADDED Viewed

@@ -0,0 +1,32 @@
+-- supabase/migrations/YYYYMMDDHHMMSS_fix_handle_languages_update_search_path.sql
+-- (Replace YYYYMMDDHHMMSS with the actual timestamp of this migration file)
+BEGIN;
+-- Step 1: Drop the existing trigger that depends on the function.
+DROP TRIGGER IF EXISTS on_languages_update ON public.languages;
+-- Step 2: Now it's safe to drop and recreate the function.
+DROP FUNCTION IF EXISTS public.handle_languages_update();
+CREATE OR REPLACE FUNCTION public.handle_languages_update()
+RETURNS TRIGGER
+LANGUAGE plpgsql
+SECURITY DEFINER -- Explicitly set security context
+SET search_path = public -- Explicitly set search_path
+AS $$
+BEGIN
+  NEW.updated_at = now();
+  RETURN NEW;
+END;
+$$;
+COMMENT ON FUNCTION public.handle_languages_update() IS 'Sets updated_at timestamp on language update. Includes explicit search_path and security definer.';
+-- Step 3: Re-create the trigger to use the updated function.
+CREATE TRIGGER on_languages_update
+  BEFORE UPDATE ON public.languages
+  FOR EACH ROW
+  EXECUTE PROCEDURE public.handle_languages_update();
+COMMIT;

package/supabase/migrations/20250527150500_fix_blocks_rls_policy.sql ADDED Viewed

@@ -0,0 +1,54 @@
+-- Fix blocks RLS policy to resolve joined query issues
+-- Replace public.get_current_user_role() with direct EXISTS queries
+BEGIN;
+-- Drop the existing comprehensive SELECT policy that uses the problematic function
+DROP POLICY IF EXISTS "blocks_authenticated_comprehensive_select" ON public.blocks;
+-- Drop the existing management policies that use the problematic function
+DROP POLICY IF EXISTS "blocks_admin_writer_can_insert" ON public.blocks;
+DROP POLICY IF EXISTS "blocks_admin_writer_can_update" ON public.blocks;
+DROP POLICY IF EXISTS "blocks_admin_writer_can_delete" ON public.blocks;
+-- Create a new comprehensive SELECT policy using direct EXISTS queries
+CREATE POLICY "blocks_authenticated_comprehensive_select" ON public.blocks
+  FOR SELECT
+  TO authenticated
+  USING (
+    (
+      -- Condition for ADMIN or WRITER: they can read ALL blocks
+      EXISTS (SELECT 1 FROM public.profiles WHERE id = auth.uid() AND role IN ('ADMIN', 'WRITER'))
+    ) OR
+    (
+      -- Condition for USER: they can read blocks of published parents
+      EXISTS (SELECT 1 FROM public.profiles WHERE id = auth.uid() AND role = 'USER') AND
+      (
+        (page_id IS NOT NULL AND EXISTS(SELECT 1 FROM public.pages p WHERE p.id = blocks.page_id AND p.status = 'published')) OR
+        (post_id IS NOT NULL AND EXISTS(SELECT 1 FROM public.posts pt WHERE pt.id = blocks.post_id AND pt.status = 'published' AND (pt.published_at IS NULL OR pt.published_at <= now())))
+      )
+    )
+  );
+COMMENT ON POLICY "blocks_authenticated_comprehensive_select" ON public.blocks IS 'Comprehensive SELECT policy for authenticated users on the blocks table, differentiating access by role (ADMIN/WRITER see all, USER sees blocks of published parents). Uses direct EXISTS queries to avoid function call issues in joined queries.';
+-- Re-create the management policies using direct EXISTS queries
+CREATE POLICY "blocks_admin_writer_can_insert" ON public.blocks
+  FOR INSERT
+  TO authenticated
+  WITH CHECK (EXISTS (SELECT 1 FROM public.profiles WHERE id = auth.uid() AND role IN ('ADMIN', 'WRITER')));
+COMMENT ON POLICY "blocks_admin_writer_can_insert" ON public.blocks IS 'Admins/Writers can insert blocks.';
+CREATE POLICY "blocks_admin_writer_can_update" ON public.blocks
+  FOR UPDATE
+  TO authenticated
+  USING (EXISTS (SELECT 1 FROM public.profiles WHERE id = auth.uid() AND role IN ('ADMIN', 'WRITER'))) -- Who can be targeted by an update
+  WITH CHECK (EXISTS (SELECT 1 FROM public.profiles WHERE id = auth.uid() AND role IN ('ADMIN', 'WRITER'))); -- What rows can be created/modified by them
+COMMENT ON POLICY "blocks_admin_writer_can_update" ON public.blocks IS 'Admins/Writers can update blocks.';
+CREATE POLICY "blocks_admin_writer_can_delete" ON public.blocks
+  FOR DELETE
+  TO authenticated
+  USING (EXISTS (SELECT 1 FROM public.profiles WHERE id = auth.uid() AND role IN ('ADMIN', 'WRITER')));
+COMMENT ON POLICY "blocks_admin_writer_can_delete" ON public.blocks IS 'Admins/Writers can delete blocks.';
+COMMIT;

package/supabase/migrations/20250602150602_add_blur_data_url_to_media.sql ADDED Viewed

@@ -0,0 +1,4 @@
+ALTER TABLE public.media
+ADD COLUMN blur_data_url TEXT NULL;
+COMMENT ON COLUMN public.media.blur_data_url IS 'Stores the base64 encoded string for image blur placeholders.';

package/supabase/migrations/20250602150959_add_variants_to_media.sql ADDED Viewed

@@ -0,0 +1,4 @@
+ALTER TABLE public.media
+ADD COLUMN variants JSONB NULL;
+COMMENT ON COLUMN public.media.variants IS 'Stores an array of image variant objects, including different sizes and formats.';

package/supabase/migrations/20250618124000_create_get_my_claim_function.sql ADDED Viewed

@@ -0,0 +1,5 @@
+CREATE OR REPLACE FUNCTION get_my_claim(claim TEXT)
+RETURNS JSONB AS $$
+  SET search_path = '';
+  SELECT COALESCE(current_setting('request.jwt.claims', true)::JSONB ->> claim, NULL)::JSONB
+$$ LANGUAGE SQL STABLE;

package/supabase/migrations/20250618124100_create_logos_table.sql ADDED Viewed

@@ -0,0 +1,29 @@
+CREATE TABLE public.logos (
+    id uuid NOT NULL DEFAULT gen_random_uuid(),
+    created_at timestamp with time zone NOT NULL DEFAULT now(),
+    name text NOT NULL,
+    media_id uuid,
+    CONSTRAINT logos_pkey PRIMARY KEY (id),
+    CONSTRAINT logos_media_id_fkey FOREIGN KEY (media_id) REFERENCES public.media(id) ON DELETE SET NULL
+);
+COMMENT ON TABLE public.logos IS 'Stores company and brand logos.';
+COMMENT ON COLUMN public.logos.name IS 'The name of the brand or company for the logo.';
+COMMENT ON COLUMN public.logos.media_id IS 'Foreign key to the media table for the logo image.';
+GRANT SELECT, INSERT, UPDATE, DELETE ON TABLE public.logos TO authenticated;
+ALTER TABLE public.logos ENABLE ROW LEVEL SECURITY;
+CREATE POLICY "Allow read access for authenticated users on logos"
+ON public.logos
+FOR SELECT
+TO authenticated
+USING (true);
+CREATE POLICY "Allow admin users to manage logos"
+ON public.logos
+FOR ALL
+TO authenticated
+USING (((SELECT get_my_claim('user_role'::text)) = '"admin"'::jsonb))
+WITH CHECK (((SELECT get_my_claim('user_role'::text)) = '"admin"'::jsonb));