@nextblock-cms/db 0.2.21 → 0.2.22
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/package.json
CHANGED
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
BEGIN;
|
|
2
|
+
|
|
3
|
+
-- Drop the existing restrictive policy
|
|
4
|
+
DROP POLICY IF EXISTS "blocks_authenticated_comprehensive_select" ON public.blocks;
|
|
5
|
+
|
|
6
|
+
-- Create the new inclusive policy
|
|
7
|
+
CREATE POLICY "blocks_authenticated_comprehensive_select" ON public.blocks
|
|
8
|
+
FOR SELECT
|
|
9
|
+
TO authenticated
|
|
10
|
+
USING (
|
|
11
|
+
-- 1. Admin/Writer can see everything
|
|
12
|
+
((SELECT public.get_current_user_role()) IN ('ADMIN', 'WRITER'))
|
|
13
|
+
OR
|
|
14
|
+
-- 2. Anyone (including USER or no-role) can see published content
|
|
15
|
+
(
|
|
16
|
+
(page_id IS NOT NULL AND EXISTS(SELECT 1 FROM public.pages p WHERE p.id = blocks.page_id AND p.status = 'published')) OR
|
|
17
|
+
(post_id IS NOT NULL AND EXISTS(SELECT 1 FROM public.posts pt WHERE pt.id = blocks.post_id AND pt.status = 'published' AND (pt.published_at IS NULL OR pt.published_at <= now())))
|
|
18
|
+
)
|
|
19
|
+
);
|
|
20
|
+
|
|
21
|
+
COMMENT ON POLICY "blocks_authenticated_comprehensive_select" ON public.blocks IS 'Comprehensive SELECT policy for authenticated users on the blocks table. Admins/Writers see all. Others (including those with missing profiles) see blocks of published parents.';
|
|
22
|
+
|
|
23
|
+
COMMIT;
|
|
@@ -0,0 +1,36 @@
|
|
|
1
|
+
BEGIN;
|
|
2
|
+
|
|
3
|
+
-- ============================================================
|
|
4
|
+
-- 1. Fix Duplicate Policies on public.blocks
|
|
5
|
+
-- ============================================================
|
|
6
|
+
|
|
7
|
+
-- Drop the "extra" policies that were causing duplicates.
|
|
8
|
+
-- These appear to have been introduced in 20250619124100_fix_rls_performance_warnings.sql
|
|
9
|
+
-- but conflict with the standard naming convention used in other migrations.
|
|
10
|
+
|
|
11
|
+
DROP POLICY IF EXISTS "Allow read access to blocks" ON public.blocks;
|
|
12
|
+
DROP POLICY IF EXISTS "Allow insert for admins and writers on blocks" ON public.blocks;
|
|
13
|
+
DROP POLICY IF EXISTS "Allow update for admins and writers on blocks" ON public.blocks;
|
|
14
|
+
DROP POLICY IF EXISTS "Allow delete for admins and writers on blocks" ON public.blocks;
|
|
15
|
+
|
|
16
|
+
-- Ensure the canonical policies are in place (they should be, but good to be safe).
|
|
17
|
+
-- The canonical policies are:
|
|
18
|
+
-- SELECT: "blocks_authenticated_comprehensive_select" (from 20251127110000_fix_blocks_visibility_for_missing_profiles.sql)
|
|
19
|
+
-- INSERT: "blocks_admin_writer_can_insert" (from 20251126133000_fix_blocks_rls.sql)
|
|
20
|
+
-- UPDATE: "blocks_admin_writer_can_update" (from 20251126133000_fix_blocks_rls.sql)
|
|
21
|
+
-- DELETE: "blocks_admin_writer_can_delete" (from 20251126133000_fix_blocks_rls.sql)
|
|
22
|
+
|
|
23
|
+
-- Note: "blocks_anon_can_read_published_blocks" is also a valid policy for anon users.
|
|
24
|
+
|
|
25
|
+
|
|
26
|
+
-- ============================================================
|
|
27
|
+
-- 2. Fix Duplicate Policies on public.media
|
|
28
|
+
-- ============================================================
|
|
29
|
+
|
|
30
|
+
-- Drop the specific "admin/writer" read policy, as "media_public_can_read" covers everyone.
|
|
31
|
+
DROP POLICY IF EXISTS "media_admin_writer_can_read" ON public.media;
|
|
32
|
+
|
|
33
|
+
-- Ensure "media_public_can_read" exists (it should, from 20250526183746_fix_media_select_rls_v12.sql)
|
|
34
|
+
-- If for some reason it's missing, we can recreate it, but usually dropping the duplicate is enough.
|
|
35
|
+
|
|
36
|
+
COMMIT;
|