npm - @nextblock-cms/db - Versions diffs - 0.2.10 → 0.2.11 - Mend

@nextblock-cms/db 0.2.10 → 0.2.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (86) hide show

package/supabase/migrations/20250618130000_fix_linter_warnings.sql ADDED Viewed

@@ -0,0 +1,58 @@
+-- Fix multiple permissive policies on logos table
+DROP POLICY IF EXISTS "Allow admin users to manage logos" ON public.logos;
+DROP POLICY IF EXISTS "Allow read access for authenticated users on logos" ON public.logos;
+CREATE POLICY "Allow read access for authenticated users on logos"
+ON public.logos
+FOR SELECT
+TO authenticated
+USING (true);
+CREATE POLICY "Allow admin users to insert logos"
+ON public.logos
+FOR INSERT TO authenticated
+WITH CHECK ((get_my_claim('user_role'::text) = '"admin"'::jsonb));
+CREATE POLICY "Allow admin users to update logos"
+ON public.logos
+FOR UPDATE TO authenticated
+USING ((get_my_claim('user_role'::text) = '"admin"'::jsonb))
+WITH CHECK ((get_my_claim('user_role'::text) = '"admin"'::jsonb));
+CREATE POLICY "Allow admin users to delete logos"
+ON public.logos
+FOR DELETE TO authenticated
+USING ((get_my_claim('user_role'::text) = '"admin"'::jsonb));
+-- Fix mutable search path for get_my_claim
+CREATE OR REPLACE FUNCTION get_my_claim(claim TEXT)
+RETURNS JSONB AS $$
+  SET search_path = '';
+  SELECT COALESCE(current_setting('request.jwt.claims', true)::JSONB ->> claim, NULL)::JSONB
+$$ LANGUAGE SQL STABLE;
+-- Optimize RLS policies on blocks table
+DROP POLICY IF EXISTS "blocks_are_readable_if_parent_is_published" ON public.blocks;
+DROP POLICY IF EXISTS "admins_and_writers_can_manage_blocks" ON public.blocks;
+CREATE POLICY "blocks_are_readable_if_parent_is_published"
+ON public.blocks FOR SELECT
+TO anon, authenticated
+USING (
+  (page_id IS NOT NULL AND EXISTS (
+    SELECT 1
+    FROM public.pages p
+    WHERE p.id = blocks.page_id AND p.status = 'published'
+  )) OR
+  (post_id IS NOT NULL AND EXISTS (
+    SELECT 1
+    FROM public.posts pt
+    WHERE pt.id = blocks.post_id AND pt.status = 'published' AND (pt.published_at IS NULL OR pt.published_at <= now())
+  ))
+);
+CREATE POLICY "admins_and_writers_can_manage_blocks"
+ON public.blocks FOR ALL
+TO authenticated
+USING ((SELECT get_my_claim('user_role'::text)) IN ('"admin"', '"writer"'))
+WITH CHECK ((SELECT get_my_claim('user_role'::text)) IN ('"admin"', '"writer"'));

package/supabase/migrations/20250618151500_revert_storage_rls.sql ADDED Viewed

@@ -0,0 +1,6 @@
+-- Reverts the RLS policies on storage.objects that caused the upload failure.
+DROP POLICY IF EXISTS "allow_authenticated_uploads" ON storage.objects;
+DROP POLICY IF EXISTS "allow_authenticated_select" ON storage.objects;
+DROP POLICY IF EXISTS "allow_authenticated_updates" ON storage.objects;
+DROP POLICY IF EXISTS "allow_authenticated_deletes" ON storage.objects;

package/supabase/migrations/20250619084800_reinstate_storage_rls.sql ADDED Viewed

@@ -0,0 +1,13 @@
+-- Re-enables RLS policies for storage.objects to allow authenticated uploads.
+-- Adds a policy allowing authenticated users to upload files
+CREATE POLICY "allow_authenticated_uploads" ON storage.objects FOR INSERT TO authenticated WITH CHECK (bucket_id = 'public' AND owner = auth.uid());
+-- Allow authenticated users to SELECT files
+CREATE POLICY "allow_authenticated_select" ON storage.objects FOR SELECT TO authenticated USING (bucket_id = 'public');
+-- Allow authenticated users to UPDATE their own files
+CREATE POLICY "allow_authenticated_updates" ON storage.objects FOR UPDATE TO authenticated USING (bucket_id = 'public' AND owner = auth.uid());
+-- Allow authenticated users to DELETE their own files
+CREATE POLICY "allow_authenticated_deletes" ON storage.objects FOR DELETE TO authenticated USING (bucket_id = 'public' AND owner = auth.uid());

package/supabase/migrations/20250619092430_widen_logo_insert_policy.sql ADDED Viewed

@@ -0,0 +1,6 @@
+DROP POLICY IF EXISTS "Allow admins to manage logos" ON public.logos;
+CREATE POLICY "Allow admin and writer users to insert logos"
+ON public.logos
+FOR INSERT TO authenticated
+WITH CHECK ((get_my_claim('user_role'::text) IN ('"admin"'::jsonb, '"writer"'::jsonb)));

package/supabase/migrations/20250619093122_fix_get_my_claim_volatility.sql ADDED Viewed

@@ -0,0 +1,5 @@
+CREATE OR REPLACE FUNCTION get_my_claim(claim TEXT)
+RETURNS JSONB AS $$
+  SET search_path = '';
+  SELECT COALESCE(current_setting('request.jwt.claims', true)::JSONB ->> claim, NULL)::JSONB
+$$ LANGUAGE SQL VOLATILE;

package/supabase/migrations/20250619104249_consolidated_logo_rls_fix.sql ADDED Viewed

@@ -0,0 +1,56 @@
+-- Step 1: Drop all dependent policies first.
+DROP POLICY IF EXISTS "Allow admins to manage logos" ON public.logos;
+DROP POLICY IF EXISTS "Allow users to insert logos" ON public.logos;
+DROP POLICY IF EXISTS "Allow logo insert for writers and admins" ON public.logos;
+DROP POLICY IF EXISTS "Allow logo update for admins" ON public.logos;
+DROP POLICY IF EXISTS "Allow logo delete for admins" ON public.logos;
+-- Step 2: Drop the old function to avoid return type conflicts.
+-- Note: It's critical to drop policies before the function they depend on.
+DROP FUNCTION IF EXISTS get_my_claim(text) CASCADE;
+-- Step 3: Redefine the get_my_claim function to be more robust and return TEXT.
+-- This avoids JSON casting errors and type mismatches in policies.
+CREATE OR REPLACE FUNCTION get_my_claim(claim TEXT)
+RETURNS TEXT AS $$
+DECLARE
+    claims jsonb;
+    claim_value text;
+BEGIN
+    -- Safely get claims, defaulting to NULL if not present or invalid JSON
+    BEGIN
+        claims := current_setting('request.jwt.claims', true)::jsonb;
+    EXCEPTION
+        WHEN invalid_text_representation THEN
+            claims := NULL;
+    END;
+    -- If claims are NULL, return NULL
+    IF claims IS NULL THEN
+        RETURN NULL;
+    END IF;
+    -- Safely extract the claim value as text, removing quotes
+    claim_value := claims ->> claim;
+    RETURN claim_value;
+END;
+$$ LANGUAGE plpgsql VOLATILE;
+-- Create the new, correct policies using the updated function
+CREATE POLICY "Allow logo insert for authenticated users"
+ON public.logos
+FOR INSERT
+WITH CHECK (auth.role() = 'authenticated');
+CREATE POLICY "Allow logo update for authenticated users"
+ON public.logos
+FOR UPDATE
+USING (auth.role() = 'authenticated')
+WITH CHECK (auth.role() = 'authenticated');
+CREATE POLICY "Allow logo delete for authenticated users"
+ON public.logos
+FOR DELETE
+USING (auth.role() = 'authenticated');

package/supabase/migrations/20250619110700_fix_logo_rls_again.sql ADDED Viewed

@@ -0,0 +1,59 @@
+-- Step 1: Drop all dependent policies first.
+DROP POLICY IF EXISTS "Allow admins to manage logos" ON public.logos;
+DROP POLICY IF EXISTS "Allow users to insert logos" ON public.logos;
+DROP POLICY IF EXISTS "Allow logo insert for writers and admins" ON public.logos;
+DROP POLICY IF EXISTS "Allow logo update for admins" ON public.logos;
+DROP POLICY IF EXISTS "Allow logo delete for admins" ON public.logos;
+DROP POLICY IF EXISTS "Allow logo insert for authenticated users" ON public.logos;
+DROP POLICY IF EXISTS "Allow logo update for authenticated users" ON public.logos;
+DROP POLICY IF EXISTS "Allow logo delete for authenticated users" ON public.logos;
+-- Step 2: Drop the old function to avoid return type conflicts.
+-- Note: It's critical to drop policies before the function they depend on.
+DROP FUNCTION IF EXISTS get_my_claim(text) CASCADE;
+-- Step 3: Redefine the get_my_claim function to be more robust and return TEXT.
+-- This avoids JSON casting errors and type mismatches in policies.
+CREATE OR REPLACE FUNCTION get_my_claim(claim TEXT)
+RETURNS TEXT AS $$
+DECLARE
+    claims jsonb;
+    claim_value text;
+BEGIN
+    -- Safely get claims, defaulting to NULL if not present or invalid JSON
+    BEGIN
+        claims := current_setting('request.jwt.claims', true)::jsonb;
+    EXCEPTION
+        WHEN invalid_text_representation THEN
+            claims := NULL;
+    END;
+    -- If claims are NULL, return NULL
+    IF claims IS NULL THEN
+        RETURN NULL;
+    END IF;
+    -- Safely extract the claim value as text, removing quotes
+    claim_value := claims ->> claim;
+    RETURN claim_value;
+END;
+$$ LANGUAGE plpgsql VOLATILE;
+-- Create the new, correct policies using the updated function
+CREATE POLICY "Allow logo insert for authenticated users"
+ON public.logos
+FOR INSERT
+WITH CHECK (auth.role() = 'authenticated');
+CREATE POLICY "Allow logo update for authenticated users"
+ON public.logos
+FOR UPDATE
+USING (auth.role() = 'authenticated')
+WITH CHECK (auth.role() = 'authenticated');
+CREATE POLICY "Allow logo delete for authenticated users"
+ON public.logos
+FOR DELETE
+USING (auth.role() = 'authenticated');

package/supabase/migrations/20250619113200_add_file_path_to_media.sql ADDED Viewed

@@ -0,0 +1,4 @@
+ALTER TABLE public.media
+ADD COLUMN file_path TEXT;
+COMMENT ON COLUMN public.media.file_path IS 'The full path to the file in the storage bucket.';

package/supabase/migrations/20250619124100_fix_rls_performance_warnings.sql ADDED Viewed

@@ -0,0 +1,74 @@
+BEGIN;
+-- Drop existing policies for 'public.logos'
+DROP POLICY IF EXISTS "Allow logo insert for authenticated users" ON public.logos;
+DROP POLICY IF EXISTS "Allow logo update for authenticated users" ON public.logos;
+DROP POLICY IF EXISTS "Allow logo delete for authenticated users" ON public.logos;
+-- Recreate policies for 'public.logos' with optimized auth calls
+CREATE POLICY "Allow logo insert for authenticated users"
+ON public.logos
+FOR INSERT
+WITH CHECK ((SELECT auth.role()) = 'authenticated');
+CREATE POLICY "Allow logo update for authenticated users"
+ON public.logos
+FOR UPDATE
+USING ((SELECT auth.role()) = 'authenticated')
+WITH CHECK ((SELECT auth.role()) = 'authenticated');
+CREATE POLICY "Allow logo delete for authenticated users"
+ON public.logos
+FOR DELETE
+USING ((SELECT auth.role()) = 'authenticated');
+-- Drop existing policies for 'public.blocks'
+DROP POLICY IF EXISTS "blocks_authenticated_comprehensive_select" ON public.blocks;
+DROP POLICY IF EXISTS "blocks_admin_writer_can_insert" ON public.blocks;
+DROP POLICY IF EXISTS "blocks_admin_writer_can_update" ON public.blocks;
+DROP POLICY IF EXISTS "blocks_admin_writer_can_delete" ON public.blocks;
+DROP POLICY IF EXISTS "blocks_anon_can_read_published_blocks" ON public.blocks;
+DROP POLICY IF EXISTS "blocks_are_readable_if_parent_is_published" ON public.blocks;
+-- Create a new comprehensive SELECT policy for 'public.blocks'
+CREATE POLICY "Allow read access to blocks" ON public.blocks
+FOR SELECT USING (
+  (
+    -- Anonymous users can read blocks of published content
+    (SELECT auth.role()) = 'anon' AND
+    (
+      (page_id IS NOT NULL AND EXISTS(SELECT 1 FROM public.pages p WHERE p.id = blocks.page_id AND p.status = 'published')) OR
+      (post_id IS NOT NULL AND EXISTS(SELECT 1 FROM public.posts pt WHERE pt.id = blocks.post_id AND pt.status = 'published' AND (pt.published_at IS NULL OR pt.published_at <= now())))
+    )
+  ) OR (
+    -- Authenticated users have role-based access
+    (SELECT auth.role()) = 'authenticated' AND
+    (
+      (
+        -- ADMIN or WRITER can read all blocks
+        EXISTS (SELECT 1 FROM public.profiles WHERE id = (SELECT auth.uid()) AND role IN ('ADMIN', 'WRITER'))
+      ) OR
+      (
+        -- USER can read blocks of published parents
+        EXISTS (SELECT 1 FROM public.profiles WHERE id = (SELECT auth.uid()) AND role = 'USER') AND
+        (
+          (page_id IS NOT NULL AND EXISTS(SELECT 1 FROM public.pages p WHERE p.id = blocks.page_id AND p.status = 'published')) OR
+          (post_id IS NOT NULL AND EXISTS(SELECT 1 FROM public.posts pt WHERE pt.id = blocks.post_id AND pt.status = 'published' AND (pt.published_at IS NULL OR pt.published_at <= now())))
+        )
+      )
+    )
+  )
+);
+-- Re-create the management policies for 'public.blocks' with optimized auth calls
+CREATE POLICY "Allow insert for admins and writers on blocks" ON public.blocks
+FOR INSERT WITH CHECK (EXISTS (SELECT 1 FROM public.profiles WHERE id = (SELECT auth.uid()) AND role IN ('ADMIN', 'WRITER')));
+CREATE POLICY "Allow update for admins and writers on blocks" ON public.blocks
+FOR UPDATE USING (EXISTS (SELECT 1 FROM public.profiles WHERE id = (SELECT auth.uid()) AND role IN ('ADMIN', 'WRITER')))
+WITH CHECK (EXISTS (SELECT 1 FROM public.profiles WHERE id = (SELECT auth.uid()) AND role IN ('ADMIN', 'WRITER')));
+CREATE POLICY "Allow delete for admins and writers on blocks" ON public.blocks
+FOR DELETE USING (EXISTS (SELECT 1 FROM public.profiles WHERE id = (SELECT auth.uid()) AND role IN ('ADMIN', 'WRITER')));
+COMMIT;

package/supabase/migrations/20250619195500_create_site_settings_table.sql ADDED Viewed

@@ -0,0 +1,28 @@
+-- supabase/migrations/20250619195500_create_site_settings_table.sql
+CREATE TABLE public.site_settings (
+    key TEXT PRIMARY KEY,
+    value JSONB
+);
+-- Enable RLS
+ALTER TABLE public.site_settings ENABLE ROW LEVEL SECURITY;
+-- Allow admins to do everything
+CREATE POLICY "Allow admins full access on site_settings"
+ON public.site_settings
+FOR ALL
+TO authenticated
+USING (get_my_claim('user_role') = '"admin"');
+-- Allow authenticated users to read settings
+CREATE POLICY "Allow authenticated users to read site_settings"
+ON public.site_settings
+FOR SELECT
+TO authenticated
+USING (true);
+-- Seed initial copyright setting
+INSERT INTO public.site_settings (key, value)
+VALUES ('footer_copyright', '{"en": "© {year} Nextblock CMS. All rights reserved.", "fr": "© {year} Nextblock CMS. Tous droits réservés."}')
+ON CONFLICT (key) DO NOTHING;

package/supabase/migrations/20250619201500_add_anon_read_to_site_settings.sql ADDED Viewed

@@ -0,0 +1,7 @@
+-- supabase/migrations/20250619201500_add_anon_read_to_site_settings.sql
+CREATE POLICY "Allow public read access to site_settings"
+ON public.site_settings
+FOR SELECT
+TO anon
+USING (true);

package/supabase/migrations/20250619202000_add_is_active_to_languages.sql ADDED Viewed

@@ -0,0 +1,5 @@
+-- Add is_active column to languages table
+ALTER TABLE public.languages
+ADD COLUMN is_active BOOLEAN NOT NULL DEFAULT true;
+COMMENT ON COLUMN public.languages.is_active IS 'Indicates if the language is currently active and available for use.';

package/supabase/migrations/20250620085700_fix_site_settings_write_rls.sql ADDED Viewed

@@ -0,0 +1,27 @@
+-- Drop existing policies if they exist to avoid conflicts.
+DROP POLICY IF EXISTS "Allow ADMIN and WRITER to insert into site_settings" ON public.site_settings;
+DROP POLICY IF EXISTS "Allow ADMIN and WRITER to update site_settings" ON public.site_settings;
+DROP POLICY IF EXISTS "Allow ADMIN and WRITER to modify site_settings" ON public.site_settings;
+-- This policy grants permission to insert into the site_settings table
+-- to any authenticated user whose role in the profiles table is 'ADMIN' or 'WRITER'.
+CREATE POLICY "Allow ADMIN and WRITER to insert into site_settings"
+ON public.site_settings
+FOR INSERT
+TO authenticated
+WITH CHECK (
+  (SELECT role FROM public.profiles WHERE id = auth.uid()) IN ('ADMIN', 'WRITER')
+);
+-- This policy grants permission to update the site_settings table
+-- to any authenticated user whose role in the profiles table is 'ADMIN' or 'WRITER'.
+CREATE POLICY "Allow ADMIN and WRITER to update site_settings"
+ON public.site_settings
+FOR UPDATE
+TO authenticated
+USING (
+  (SELECT role FROM public.profiles WHERE id = auth.uid()) IN ('ADMIN', 'WRITER')
+)
+WITH CHECK (
+  (SELECT role FROM public.profiles WHERE id = auth.uid()) IN ('ADMIN', 'WRITER')
+);

package/supabase/migrations/20250620095500_fix_profiles_read_rls.sql ADDED Viewed

@@ -0,0 +1,11 @@
+-- Drop the policy if it exists to ensure a clean state.
+DROP POLICY IF EXISTS "Allow user to read their own profile" ON public.profiles;
+-- This policy allows an authenticated user to read their own row from the profiles table.
+-- This is necessary for other RLS policies (like the one on site_settings) to be able
+-- to look up the user's role during policy evaluation.
+CREATE POLICY "Allow user to read their own profile"
+ON public.profiles
+FOR SELECT
+TO authenticated
+USING (auth.uid() = id);

package/supabase/migrations/20250620100000_use_security_definer_for_rls.sql ADDED Viewed

@@ -0,0 +1,39 @@
+-- Drop all previous policies on site_settings to ensure a clean slate.
+DROP POLICY IF EXISTS "Allow ADMIN and WRITER to insert into site_settings" ON public.site_settings;
+DROP POLICY IF EXISTS "Allow ADMIN and WRITER to update site_settings" ON public.site_settings;
+DROP POLICY IF EXISTS "Allow ADMIN and WRITER to modify site_settings" ON public.site_settings;
+-- Create a trusted, elevated-privilege function to get the current user's role.
+-- SECURITY DEFINER makes it run with the permissions of the function owner, bypassing nested RLS.
+CREATE OR REPLACE FUNCTION get_my_role()
+RETURNS TEXT AS $$
+DECLARE
+  user_role TEXT;
+BEGIN
+  SELECT role INTO user_role FROM public.profiles WHERE id = auth.uid();
+  RETURN user_role;
+END;
+$$ LANGUAGE plpgsql SECURITY DEFINER;
+-- This policy grants permission to insert into the site_settings table
+-- by using the trusted function to check the user's role.
+CREATE POLICY "Allow insert based on user role"
+ON public.site_settings
+FOR INSERT
+TO authenticated
+WITH CHECK (
+  get_my_role() IN ('ADMIN', 'WRITER')
+);
+-- This policy grants permission to update the site_settings table
+-- by using the trusted function to check the user's role.
+CREATE POLICY "Allow update based on user role"
+ON public.site_settings
+FOR UPDATE
+TO authenticated
+USING (
+  get_my_role() IN ('ADMIN', 'WRITER')
+)
+WITH CHECK (
+  get_my_role() IN ('ADMIN', 'WRITER')
+);

package/supabase/migrations/20250620130000_add_public_read_to_logos.sql ADDED Viewed

@@ -0,0 +1,4 @@
+CREATE POLICY "Allow public read access to logos"
+ON public.logos
+FOR SELECT
+USING (true);

package/supabase/migrations/20250708091700_create_translations_table.sql ADDED Viewed

@@ -0,0 +1,55 @@
+-- Create the translations table
+CREATE TABLE translations (
+    key TEXT PRIMARY KEY,
+    translations JSONB NOT NULL,
+    created_at TIMESTAMPTZ DEFAULT now() NOT NULL,
+    updated_at TIMESTAMPTZ DEFAULT now() NOT NULL
+);
+-- Add comments on the columns
+COMMENT ON COLUMN translations.key IS 'A unique, slugified identifier (e.g., "sign_in_button_text").';
+COMMENT ON COLUMN translations.translations IS 'Stores translations as key-value pairs (e.g., {"en": "Sign In", "fr": "s''inscrire"}).';
+-- Enable Row Level Security
+ALTER TABLE translations ENABLE ROW LEVEL SECURITY;
+-- RLS Policies
+CREATE POLICY "Allow all access to ADMIN"
+ON public.translations
+FOR ALL
+TO authenticated
+USING (
+  (auth.jwt() ->> 'user_role') = 'ADMIN'
+)
+WITH CHECK (
+  (auth.jwt() ->> 'user_role') = 'ADMIN'
+);
+CREATE POLICY "Allow read access to all authenticated users"
+ON public.translations
+FOR SELECT
+TO authenticated
+USING (true);
+CREATE POLICY "Allow read access to all anonymous users"
+ON public.translations
+FOR SELECT
+TO anon
+USING (true);
+-- Trigger to update updated_at timestamp
+CREATE OR REPLACE FUNCTION public.set_current_timestamp_updated_at()
+RETURNS TRIGGER AS $$
+DECLARE
+  _new record;
+BEGIN
+  _new := NEW;
+  _new."updated_at" = NOW();
+  RETURN _new;
+END;
+$$ LANGUAGE plpgsql;
+CREATE TRIGGER set_updated_at
+BEFORE UPDATE ON public.translations
+FOR EACH ROW
+EXECUTE FUNCTION public.set_current_timestamp_updated_at();

package/supabase/migrations/20250708093403_seed_translations_table.sql ADDED Viewed

@@ -0,0 +1,20 @@
+INSERT INTO public.translations (key, translations) VALUES
+('sign_in', '{"en": "Sign in", "fr": "Connexion"}'),
+('sign_up', '{"en": "Sign up", "fr": "Inscription"}'),
+('sign_out', '{"en": "Sign out", "fr": "Déconnexion"}'),
+('dont_have_account', '{"en": "Don''t have an account?", "fr": "Pas encore de compte ?"}'),
+('email', '{"en": "Email", "fr": "Email"}'),
+('you_at_example_com', '{"en": "you@example.com", "fr": "vous@example.com"}'),
+('password', '{"en": "Password", "fr": "Mot de passe"}'),
+('forgot_password', '{"en": "Forgot Password?", "fr": "Mot de passe oublié ?"}'),
+('your_password', '{"en": "Your password", "fr": "Votre mot de passe"}'),
+('signing_in_pending', '{"en": "Signing In...", "fr": "Connexion en cours..."}'),
+('already_have_account', '{"en": "Already have an account?", "fr": "Déjà un compte ?"}'),
+('signing_up_pending', '{"en": "Signing up...", "fr": "Inscription en cours..."}'),
+('reset_password', '{"en": "Reset Password", "fr": "Réinitialiser le mot de passe"}');
+-- Route prefix for the blog section
+INSERT INTO public.translations (key, translations) VALUES
+('blog_prefix', '{"en": "article", "fr": "article"}')
+ON CONFLICT (key) DO UPDATE
+SET translations = EXCLUDED.translations;

package/supabase/migrations/20250708110600_fix_translations_rls_policies.sql ADDED Viewed

@@ -0,0 +1,11 @@
+-- Drop the existing restrictive policy for updates
+DROP POLICY IF EXISTS "Allow all access to ADMIN" ON public.translations;
+-- Create a more permissive policy that allows authenticated users to update translations
+-- This assumes that access to the CMS is already controlled at the application level
+CREATE POLICY "Allow authenticated users to manage translations"
+ON public.translations
+FOR ALL
+TO authenticated
+USING (true)
+WITH CHECK (true);

package/supabase/migrations/20250708112300_add_new_translations.sql ADDED Viewed

@@ -0,0 +1,9 @@
+INSERT INTO public.translations (key, translations) VALUES
+('edit_page', '{"en": "Edit Page", "fr": "Éditer la page"}'),
+('edit_post', '{"en": "Edit Post", "fr": "Éditer l''article"}'),
+('open_main_menu', '{"en": "Open main menu", "fr": "Ouvrir le menu principal"}'),
+('mobile_navigation_menu', '{"en": "Mobile navigation menu", "fr": "Menu de navigation mobile"}'),
+('cms_dashboard', '{"en": "CMS Dashboard", "fr": "Tableau de bord CMS"}'),
+('update_env_file_warning', '{"en": "Please update .env.local file with anon key and url", "fr": "Veuillez mettre à jour .env.local avec l''anon key et l''URL"}'),
+('greeting', '{"en": "Hey, {username}!", "fr": "Salut, {username} !"}')
+ON CONFLICT (key) DO NOTHING;

package/supabase/migrations/20250709120000_create_revisions_tables.sql ADDED Viewed

@@ -0,0 +1,109 @@
+-- supabase/migrations/20250709120000_create_revisions_tables.sql
+-- Hybrid revision history for pages and posts
+begin;
+-- Create enum for revision type if not exists
+do $$
+begin
+  if not exists (select 1 from pg_type where typname = 'revision_type') then
+    create type public.revision_type as enum ('snapshot', 'diff');
+  end if;
+end
+$$;
+-- Add version column to pages and posts if not exists
+do $$
+begin
+  if not exists (
+    select 1 from information_schema.columns
+    where table_schema = 'public' and table_name = 'pages' and column_name = 'version'
+  ) then
+    alter table public.pages add column version integer not null default 1;
+    comment on column public.pages.version is 'Monotonic version number for hybrid revisions.';
+  end if;
+end
+$$;
+do $$
+begin
+  if not exists (
+    select 1 from information_schema.columns
+    where table_schema = 'public' and table_name = 'posts' and column_name = 'version'
+  ) then
+    alter table public.posts add column version integer not null default 1;
+    comment on column public.posts.version is 'Monotonic version number for hybrid revisions.';
+  end if;
+end
+$$;
+-- Create page_revisions table
+create table if not exists public.page_revisions (
+  id bigint generated by default as identity primary key,
+  page_id bigint not null references public.pages(id) on delete cascade,
+  author_id uuid references public.profiles(id) on delete set null,
+  version integer not null,
+  revision_type public.revision_type not null,
+  content jsonb not null,
+  created_at timestamp with time zone not null default now(),
+  constraint page_revisions_page_version_key unique (page_id, version)
+);
+comment on table public.page_revisions is 'Hybrid (snapshot/diff) revisions for pages.';
+comment on column public.page_revisions.content is 'If snapshot: full content; if diff: JSON Patch array.';
+create index if not exists idx_page_revisions_page_id on public.page_revisions(page_id);
+create index if not exists idx_page_revisions_page_id_version on public.page_revisions(page_id, version);
+-- Create post_revisions table
+create table if not exists public.post_revisions (
+  id bigint generated by default as identity primary key,
+  post_id bigint not null references public.posts(id) on delete cascade,
+  author_id uuid references public.profiles(id) on delete set null,
+  version integer not null,
+  revision_type public.revision_type not null,
+  content jsonb not null,
+  created_at timestamp with time zone not null default now(),
+  constraint post_revisions_post_version_key unique (post_id, version)
+);
+comment on table public.post_revisions is 'Hybrid (snapshot/diff) revisions for posts.';
+comment on column public.post_revisions.content is 'If snapshot: full content; if diff: JSON Patch array.';
+create index if not exists idx_post_revisions_post_id on public.post_revisions(post_id);
+create index if not exists idx_post_revisions_post_id_version on public.post_revisions(post_id, version);
+-- Enable RLS and add policies (admins and writers manage; authenticated can read)
+alter table public.page_revisions enable row level security;
+alter table public.post_revisions enable row level security;
+-- Page revisions policies
+drop policy if exists "page_revisions_admin_writer_management" on public.page_revisions;
+create policy "page_revisions_admin_writer_management"
+on public.page_revisions for all
+to authenticated
+using (public.get_current_user_role() in ('ADMIN', 'WRITER'))
+with check (public.get_current_user_role() in ('ADMIN', 'WRITER'));
+drop policy if exists "page_revisions_authenticated_read" on public.page_revisions;
+create policy "page_revisions_authenticated_read"
+on public.page_revisions for select
+to authenticated
+using (true);
+-- Post revisions policies
+drop policy if exists "post_revisions_admin_writer_management" on public.post_revisions;
+create policy "post_revisions_admin_writer_management"
+on public.post_revisions for all
+to authenticated
+using (public.get_current_user_role() in ('ADMIN', 'WRITER'))
+with check (public.get_current_user_role() in ('ADMIN', 'WRITER'));
+drop policy if exists "post_revisions_authenticated_read" on public.post_revisions;
+create policy "post_revisions_authenticated_read"
+on public.post_revisions for select
+to authenticated
+using (true);
+commit;

package/supabase/migrations/20251001113000_add_folder_to_media.sql ADDED Viewed

@@ -0,0 +1,14 @@
+-- Add a folder column to organize media by path prefix
+ALTER TABLE public.media
+ADD COLUMN IF NOT EXISTS folder TEXT;
+COMMENT ON COLUMN public.media.folder IS 'Folder path prefix for the R2 object (e.g., images/summer/).';
+-- Backfill existing rows by deriving folder from object_key (everything up to last slash)
+UPDATE public.media
+SET folder = NULLIF(regexp_replace(object_key, '[^/]*$', ''), '')
+WHERE folder IS NULL;
+-- Index to speed up filtering by folder
+CREATE INDEX IF NOT EXISTS media_folder_idx ON public.media (folder);