@nextblock-cms/db 0.2.10 → 0.2.13

package/supabase/migrations/20251112113736_fix_search_path_functions.sql

@@ -0,0 +1,74 @@
+-- Ensure critical auth/public functions always use a safe search_path.
+BEGIN;
+
+CREATE OR REPLACE FUNCTION public.handle_languages_update()
+RETURNS TRIGGER
+LANGUAGE plpgsql
+SECURITY DEFINER
+SET search_path TO pg_temp, public
+AS $$
+BEGIN
+  NEW.updated_at = now();
+  RETURN NEW;
+END;
+$$;
+
+CREATE OR REPLACE FUNCTION public.get_my_claim(claim TEXT)
+RETURNS TEXT
+LANGUAGE plpgsql
+VOLATILE
+SET search_path TO pg_temp, public
+AS $$
+DECLARE
+    claims jsonb;
+    claim_value text;
+BEGIN
+    -- Safely get claims, defaulting to NULL if not present or invalid JSON
+    BEGIN
+        claims := current_setting('request.jwt.claims', true)::jsonb;
+    EXCEPTION
+        WHEN invalid_text_representation THEN
+            claims := NULL;
+    END;
+
+    -- If claims are NULL, return NULL
+    IF claims IS NULL THEN
+        RETURN NULL;
+    END IF;
+
+    -- Safely extract the claim value as text, removing quotes
+    claim_value := claims ->> claim;
+
+    RETURN claim_value;
+END;
+$$;
+
+CREATE OR REPLACE FUNCTION public.get_my_role()
+RETURNS TEXT
+LANGUAGE plpgsql
+SECURITY DEFINER
+SET search_path TO pg_temp, public
+AS $$
+DECLARE
+  user_role TEXT;
+BEGIN
+  SELECT role INTO user_role FROM public.profiles WHERE id = auth.uid();
+  RETURN user_role;
+END;
+$$;
+
+CREATE OR REPLACE FUNCTION public.set_current_timestamp_updated_at()
+RETURNS TRIGGER
+LANGUAGE plpgsql
+SET search_path TO pg_temp, public
+AS $$
+DECLARE
+  _new record;
+BEGIN
+  _new := NEW;
+  _new."updated_at" = now();
+  RETURN _new;
+END;
+$$;
+
+COMMIT;

package/supabase/migrations/20251112124444_fix_rls_performance.sql

@@ -0,0 +1,63 @@
+BEGIN;
+
+-- Ensure profile read access uses a single policy and wraps auth.uid() safely.
+DROP POLICY IF EXISTS "Allow user to read their own profile" ON public.profiles;
+DROP POLICY IF EXISTS "authenticated_can_read_profiles" ON public.profiles;
+
+CREATE POLICY "authenticated_can_read_profiles" ON public.profiles
+FOR SELECT
+TO authenticated
+USING (
+  (id = (SELECT auth.uid())) OR
+  (public.get_current_user_role() = 'ADMIN')
+);
+COMMENT ON POLICY "authenticated_can_read_profiles" ON public.profiles IS 'Authenticated users can read their own profile; admins can read any profile.';
+
+-- Harden storage.objects ownership checks.
+DROP POLICY IF EXISTS "allow_authenticated_uploads" ON storage.objects;
+DROP POLICY IF EXISTS "allow_authenticated_updates" ON storage.objects;
+DROP POLICY IF EXISTS "allow_authenticated_deletes" ON storage.objects;
+
+CREATE POLICY "allow_authenticated_uploads" ON storage.objects
+FOR INSERT TO authenticated
+WITH CHECK (bucket_id = 'public' AND owner = (SELECT auth.uid()));
+
+CREATE POLICY "allow_authenticated_updates" ON storage.objects
+FOR UPDATE TO authenticated
+USING (bucket_id = 'public' AND owner = (SELECT auth.uid()));
+
+CREATE POLICY "allow_authenticated_deletes" ON storage.objects
+FOR DELETE TO authenticated
+USING (bucket_id = 'public' AND owner = (SELECT auth.uid()));
+
+-- Keep select policy as-is (bucket scoped) since it does not reference auth.uid().
+
+-- Update site_settings policies to avoid initplan warnings.
+DROP POLICY IF EXISTS "Allow ADMIN and WRITER to insert into site_settings" ON public.site_settings;
+DROP POLICY IF EXISTS "Allow ADMIN and WRITER to update site_settings" ON public.site_settings;
+
+CREATE POLICY "Allow ADMIN and WRITER to insert into site_settings" ON public.site_settings
+FOR INSERT TO authenticated
+WITH CHECK (
+  EXISTS (
+    SELECT 1 FROM public.profiles
+    WHERE id = (SELECT auth.uid()) AND role IN ('ADMIN', 'WRITER')
+  )
+);
+
+CREATE POLICY "Allow ADMIN and WRITER to update site_settings" ON public.site_settings
+FOR UPDATE TO authenticated
+USING (
+  EXISTS (
+    SELECT 1 FROM public.profiles
+    WHERE id = (SELECT auth.uid()) AND role IN ('ADMIN', 'WRITER')
+  )
+)
+WITH CHECK (
+  EXISTS (
+    SELECT 1 FROM public.profiles
+    WHERE id = (SELECT auth.uid()) AND role IN ('ADMIN', 'WRITER')
+  )
+);
+
+COMMIT;

package/supabase/migrations/20251112125935_fix_combined_policies.sql

@@ -0,0 +1,194 @@
+BEGIN;
+
+-- Consolidate logo read access into a single policy for the authenticated role.
+DROP POLICY IF EXISTS "Allow public read access to logos" ON public.logos;
+DROP POLICY IF EXISTS "Allow read access for authenticated users on logos" ON public.logos;
+
+CREATE POLICY "logos_authenticated_select_combined"
+ON public.logos
+FOR SELECT
+TO authenticated
+USING (true);
+
+-- Page revisions: remove overlapping SELECT coverage and keep a single policy per action.
+DROP POLICY IF EXISTS page_revisions_admin_writer_management ON public.page_revisions;
+DROP POLICY IF EXISTS page_revisions_authenticated_read ON public.page_revisions;
+
+CREATE POLICY "page_revisions_authenticated_select_combined"
+ON public.page_revisions
+FOR SELECT
+TO authenticated
+USING (true);
+
+CREATE POLICY "page_revisions_admin_writer_insert"
+ON public.page_revisions
+FOR INSERT
+TO authenticated
+WITH CHECK (
+  EXISTS (
+    SELECT 1 FROM public.profiles
+    WHERE id = (SELECT auth.uid()) AND role IN ('ADMIN', 'WRITER')
+  )
+);
+
+CREATE POLICY "page_revisions_admin_writer_update"
+ON public.page_revisions
+FOR UPDATE
+TO authenticated
+USING (
+  EXISTS (
+    SELECT 1 FROM public.profiles
+    WHERE id = (SELECT auth.uid()) AND role IN ('ADMIN', 'WRITER')
+  )
+)
+WITH CHECK (
+  EXISTS (
+    SELECT 1 FROM public.profiles
+    WHERE id = (SELECT auth.uid()) AND role IN ('ADMIN', 'WRITER')
+  )
+);
+
+CREATE POLICY "page_revisions_admin_writer_delete"
+ON public.page_revisions
+FOR DELETE
+TO authenticated
+USING (
+  EXISTS (
+    SELECT 1 FROM public.profiles
+    WHERE id = (SELECT auth.uid()) AND role IN ('ADMIN', 'WRITER')
+  )
+);
+
+-- Post revisions: same treatment as page revisions.
+DROP POLICY IF EXISTS post_revisions_admin_writer_management ON public.post_revisions;
+DROP POLICY IF EXISTS post_revisions_authenticated_read ON public.post_revisions;
+
+CREATE POLICY "post_revisions_authenticated_select_combined"
+ON public.post_revisions
+FOR SELECT
+TO authenticated
+USING (true);
+
+CREATE POLICY "post_revisions_admin_writer_insert"
+ON public.post_revisions
+FOR INSERT
+TO authenticated
+WITH CHECK (
+  EXISTS (
+    SELECT 1 FROM public.profiles
+    WHERE id = (SELECT auth.uid()) AND role IN ('ADMIN', 'WRITER')
+  )
+);
+
+CREATE POLICY "post_revisions_admin_writer_update"
+ON public.post_revisions
+FOR UPDATE
+TO authenticated
+USING (
+  EXISTS (
+    SELECT 1 FROM public.profiles
+    WHERE id = (SELECT auth.uid()) AND role IN ('ADMIN', 'WRITER')
+  )
+)
+WITH CHECK (
+  EXISTS (
+    SELECT 1 FROM public.profiles
+    WHERE id = (SELECT auth.uid()) AND role IN ('ADMIN', 'WRITER')
+  )
+);
+
+CREATE POLICY "post_revisions_admin_writer_delete"
+ON public.post_revisions
+FOR DELETE
+TO authenticated
+USING (
+  EXISTS (
+    SELECT 1 FROM public.profiles
+    WHERE id = (SELECT auth.uid()) AND role IN ('ADMIN', 'WRITER')
+  )
+);
+
+-- Site settings: collapse overlapping policies per action.
+DROP POLICY IF EXISTS "Allow ADMIN and WRITER to insert into site_settings" ON public.site_settings;
+DROP POLICY IF EXISTS "Allow admins full access on site_settings" ON public.site_settings;
+DROP POLICY IF EXISTS "Allow insert based on user role" ON public.site_settings;
+DROP POLICY IF EXISTS "Allow authenticated users to read site_settings" ON public.site_settings;
+DROP POLICY IF EXISTS "Allow update based on user role" ON public.site_settings;
+DROP POLICY IF EXISTS "Allow ADMIN and WRITER to update site_settings" ON public.site_settings;
+DROP POLICY IF EXISTS "Allow ADMIN and WRITER to modify site_settings" ON public.site_settings;
+
+CREATE POLICY "site_settings_authenticated_insert_combined"
+ON public.site_settings
+FOR INSERT
+TO authenticated
+WITH CHECK (
+  EXISTS (
+    SELECT 1 FROM public.profiles
+    WHERE id = (SELECT auth.uid()) AND role IN ('ADMIN', 'WRITER')
+  )
+);
+
+CREATE POLICY "site_settings_authenticated_select_combined"
+ON public.site_settings
+FOR SELECT
+TO authenticated
+USING (true);
+
+CREATE POLICY "site_settings_authenticated_update_combined"
+ON public.site_settings
+FOR UPDATE
+TO authenticated
+USING (
+  EXISTS (
+    SELECT 1 FROM public.profiles
+    WHERE id = (SELECT auth.uid()) AND role IN ('ADMIN', 'WRITER')
+  )
+)
+WITH CHECK (
+  EXISTS (
+    SELECT 1 FROM public.profiles
+    WHERE id = (SELECT auth.uid()) AND role IN ('ADMIN', 'WRITER')
+  )
+);
+
+CREATE POLICY "site_settings_authenticated_delete_combined"
+ON public.site_settings
+FOR DELETE
+TO authenticated
+USING (
+  EXISTS (
+    SELECT 1 FROM public.profiles
+    WHERE id = (SELECT auth.uid()) AND role IN ('ADMIN', 'WRITER')
+  )
+);
+
+-- Translations: split FOR ALL coverage into distinct policies.
+DROP POLICY IF EXISTS "Allow authenticated users to manage translations" ON public.translations;
+DROP POLICY IF EXISTS "Allow read access to all authenticated users" ON public.translations;
+
+CREATE POLICY "translations_authenticated_select_combined"
+ON public.translations
+FOR SELECT
+TO authenticated
+USING (true);
+
+CREATE POLICY "translations_authenticated_insert_combined"
+ON public.translations
+FOR INSERT
+TO authenticated
+WITH CHECK (true);
+
+CREATE POLICY "translations_authenticated_update_combined"
+ON public.translations
+FOR UPDATE
+TO authenticated
+USING (true)
+WITH CHECK (true);
+
+CREATE POLICY "translations_authenticated_delete_combined"
+ON public.translations
+FOR DELETE
+TO authenticated
+USING (true);
+
+COMMIT;

package/supabase/migrations/20251112132146_fix_foreign_key_indexes.sql

@@ -0,0 +1,21 @@
+BEGIN;
+
+-- Add missing coverage for frequently joined foreign keys.
+CREATE INDEX IF NOT EXISTS idx_logos_media_id
+  ON public.logos (media_id);
+
+CREATE INDEX IF NOT EXISTS idx_page_revisions_author_id
+  ON public.page_revisions (author_id);
+
+CREATE INDEX IF NOT EXISTS idx_post_revisions_author_id
+  ON public.post_revisions (author_id);
+
+-- Drop unused or redundant indexes called out by Supabase insights.
+DROP INDEX IF EXISTS idx_page_revisions_page_id_version;
+DROP INDEX IF EXISTS idx_post_revisions_post_id_version;
+DROP INDEX IF EXISTS idx_post_revisions_post_id;
+DROP INDEX IF EXISTS idx_pages_translation_group_id;
+DROP INDEX IF EXISTS idx_posts_translation_group_id;
+DROP INDEX IF EXISTS idx_navigation_items_menu_lang_order;
+
+COMMIT;

package/supabase/migrations/20251112132525_cleanup_unused_indexes.sql

@@ -0,0 +1,10 @@
+BEGIN;
+
+-- Drop redundant or legacy indexes highlighted by Supabase Advisor.
+DROP INDEX IF EXISTS media_folder_idx;
+DROP INDEX IF EXISTS idx_blocks_language_id;
+DROP INDEX IF EXISTS idx_blocks_post_id;
+DROP INDEX IF EXISTS idx_navigation_items_language_id;
+DROP INDEX IF EXISTS idx_page_revisions_page_id;
+
+COMMIT;

package/supabase/migrations/20251112132822_fix_final_indexes.sql

@@ -0,0 +1,14 @@
+BEGIN;
+
+CREATE INDEX IF NOT EXISTS idx_blocks_language_id
+  ON public.blocks (language_id);
+
+CREATE INDEX IF NOT EXISTS idx_blocks_post_id
+  ON public.blocks (post_id);
+
+CREATE INDEX IF NOT EXISTS idx_navigation_items_language_id
+  ON public.navigation_items (language_id);
+
+ANALYZE VERBOSE;
+
+COMMIT;

package/supabase/migrations/20251112140000_scaffold_foundational_content.sql

@@ -0,0 +1,95 @@
+-- supabase/migrations/20251112140000_scaffold_foundational_content.sql
+-- seeds additional languages plus the foundational Home/Articles pages and flagship post translations
+
+do $migration$
+declare
+  v_home_page_group_id uuid := gen_random_uuid();
+  v_blog_page_group_id uuid := gen_random_uuid();
+  v_how_it_works_post_group_id uuid := gen_random_uuid();
+  v_en_lang_id bigint;
+  v_fr_lang_id bigint;
+  v_feature_media_id uuid;
+begin
+  -- only english and french
+  insert into public.languages (id, name, code, is_default, is_active)
+  values
+    (1, 'English', 'en', true, true),
+    (2, 'Français', 'fr', false, true)
+  on conflict (id) do update
+    set name = excluded.name,
+        code = excluded.code,
+        is_default = excluded.is_default,
+        is_active = excluded.is_active;
+
+  select id into v_en_lang_id from public.languages where code = 'en' limit 1;
+  select id into v_fr_lang_id from public.languages where code = 'fr' limit 1;
+
+  if v_en_lang_id is null or v_fr_lang_id is null then
+    raise exception 'Required languages (en, fr) not found. Please seed languages first.';
+  end if;
+
+  -- reset defaults/actives
+  update public.languages
+  set is_active = true,
+      is_default = case when code = 'en' then true else false end
+  where code in ('en', 'fr');
+
+-- scaffold the Home and Articles parent pages (EN + FR)
+  insert into public.pages (language_id, title, slug, status, translation_group_id)
+  values (v_en_lang_id, 'Home', 'home', 'published', v_home_page_group_id)
+  on conflict (language_id, slug) do update
+    set title = excluded.title,
+        status = excluded.status,
+        translation_group_id = excluded.translation_group_id;
+
+  insert into public.pages (language_id, title, slug, status, translation_group_id)
+  values (v_fr_lang_id, 'Accueil', 'accueil', 'published', v_home_page_group_id)
+  on conflict (language_id, slug) do update
+    set title = excluded.title,
+        status = excluded.status,
+        translation_group_id = excluded.translation_group_id;
+
+insert into public.pages (language_id, title, slug, status, translation_group_id)
+values (v_en_lang_id, 'Articles', 'articles', 'published', v_blog_page_group_id)
+on conflict (language_id, slug) do update
+  set title = excluded.title,
+      status = excluded.status,
+      translation_group_id = excluded.translation_group_id;
+
+insert into public.pages (language_id, title, slug, status, translation_group_id)
+values (v_fr_lang_id, 'Articles', 'articles', 'published', v_blog_page_group_id)
+on conflict (language_id, slug) do update
+  set title = excluded.title,
+      status = excluded.status,
+      translation_group_id = excluded.translation_group_id;
+
+  -- seed the flagship How It Works blog post in EN + FR
+  insert into public.posts (language_id, title, slug, status, translation_group_id)
+  values (v_en_lang_id, 'How NextBlock Works: A Look Under the Hood', 'how-nextblock-works', 'published', v_how_it_works_post_group_id)
+  on conflict (language_id, slug) do update
+    set title = excluded.title,
+        status = excluded.status,
+        translation_group_id = excluded.translation_group_id;
+
+  insert into public.posts (language_id, title, slug, status, translation_group_id)
+  values (v_fr_lang_id, 'Comment NextBlock Fonctionne : Regard Sous le Capot', 'comment-nextblock-fonctionne', 'published', v_how_it_works_post_group_id)
+  on conflict (language_id, slug) do update
+    set title = excluded.title,
+        status = excluded.status,
+        translation_group_id = excluded.translation_group_id;
+
+  -- Feature image for the flagship post can be set later via CMS; no seed insert for static asset.
+end;
+$migration$;
+
+select id as home_page_id
+from public.pages
+where slug = 'home' and language_id = (select id from public.languages where code = 'en' limit 1)
+order by created_at desc
+limit 1;
+
+select id as post_id
+from public.posts
+where slug = 'how-nextblock-works' and language_id = (select id from public.languages where code = 'en' limit 1)
+order by created_at desc
+limit 1;