npm - @nextblock-cms/db - Versions diffs - 0.2.8 → 0.2.10 - Mend

@nextblock-cms/db 0.2.8 → 0.2.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (86) hide show

package/supabase/migrations/20250526172513_resolve_select_policy_overlaps.sql DELETED Viewed

@@ -1,96 +0,0 @@
--- supabase/migrations/YYYYMMDDHHMMSS_resolve_select_policy_overlaps.sql
--- (Ensure YYYYMMDDHHMMSS is the current timestamp)
-BEGIN;
--- == BLOCKS ==
--- Assuming "blocks_admin_writer_management" is FOR ALL and covers SELECT for ADMIN/WRITER.
--- Make "blocks_authenticated_access" specific to non-ADMIN/WRITER authenticated users.
-DROP POLICY IF EXISTS "blocks_authenticated_access" ON public.blocks;
-CREATE POLICY "blocks_authenticated_user_access" ON public.blocks -- Renamed for clarity
-  FOR SELECT
-  TO authenticated
-  USING (
-    (public.get_current_user_role() NOT IN ('ADMIN', 'WRITER')) AND -- This is the key change
-    (
-      (page_id IS NOT NULL AND EXISTS(SELECT 1 FROM public.pages p WHERE p.id = blocks.page_id AND p.status = 'published')) OR
-      (post_id IS NOT NULL AND EXISTS(SELECT 1 FROM public.posts pt WHERE pt.id = blocks.post_id AND pt.status = 'published' AND (pt.published_at IS NULL OR pt.published_at <= now())))
-    )
-  );
-COMMENT ON POLICY "blocks_authenticated_user_access" ON public.blocks IS 'Authenticated USERS (non-admin/writer) can read blocks of published parents. Admin/Writer SELECT via their management policy.';
--- Note: "blocks_anon_can_read_published" (FOR SELECT TO anon) should remain unchanged.
--- Note: "blocks_admin_writer_management" (FOR ALL TO authenticated USING role IN (ADMIN,WRITER)) should remain unchanged.
--- == LANGUAGES ==
--- Assuming "languages_admin_management" is FOR ALL and covers SELECT for ADMIN.
--- Make "languages_are_publicly_readable_by_all" not apply to authenticated ADMINs.
-DROP POLICY IF EXISTS "languages_are_publicly_readable_by_all" ON public.languages;
-CREATE POLICY "languages_readable_by_anon_and_non_admins" ON public.languages -- Renamed
-  FOR SELECT
-  USING (
-    NOT (auth.role() = 'authenticated' AND public.get_current_user_role() = 'ADMIN')
-  );
-COMMENT ON POLICY "languages_readable_by_anon_and_non_admins" ON public.languages IS 'Anonymous users and authenticated non-admins can read languages. Admin SELECT via management policy.';
--- Note: "languages_admin_management" (FOR ALL TO authenticated USING role = ADMIN) should remain unchanged.
--- == MEDIA ==
--- Assuming "media_admin_writer_management" is FOR ALL and covers SELECT for ADMIN/WRITER.
--- Make "media_is_publicly_readable_by_all" not apply to authenticated ADMIN/WRITERs.
-DROP POLICY IF EXISTS "media_is_publicly_readable_by_all" ON public.media;
-CREATE POLICY "media_readable_by_anon_and_non_privileged_users" ON public.media -- Renamed
-  FOR SELECT
-  USING (
-    NOT (auth.role() = 'authenticated' AND public.get_current_user_role() IN ('ADMIN', 'WRITER'))
-  );
-COMMENT ON POLICY "media_readable_by_anon_and_non_privileged_users" ON public.media IS 'Anonymous users and authenticated non-admin/writer users can read media. Admin/Writer SELECT via management policy.';
--- Note: "media_admin_writer_management" (FOR ALL TO authenticated USING role IN (ADMIN,WRITER)) should remain unchanged.
--- == NAVIGATION ITEMS ==
--- Assuming "nav_items_admin_management" is FOR ALL and covers SELECT for ADMIN.
--- Make "nav_items_are_publicly_readable_by_all" not apply to authenticated ADMINs.
-DROP POLICY IF EXISTS "nav_items_are_publicly_readable_by_all" ON public.navigation_items;
-CREATE POLICY "nav_items_readable_by_anon_and_non_admins" ON public.navigation_items -- Renamed
-  FOR SELECT
-  USING (
-    NOT (auth.role() = 'authenticated' AND public.get_current_user_role() = 'ADMIN')
-  );
-COMMENT ON POLICY "nav_items_readable_by_anon_and_non_admins" ON public.navigation_items IS 'Anonymous users and authenticated non-admins can read nav items. Admin SELECT via management policy.';
--- Note: "nav_items_admin_management" (FOR ALL TO authenticated USING role = ADMIN) should remain unchanged.
--- == PAGES ==
--- Assuming "pages_admin_writer_management" is FOR ALL and covers SELECT for ADMIN/WRITER.
--- Make "pages_authenticated_access" specific to non-ADMIN/WRITER authenticated users.
-DROP POLICY IF EXISTS "pages_authenticated_access" ON public.pages;
-CREATE POLICY "pages_user_authenticated_access" ON public.pages -- Renamed
-  FOR SELECT
-  TO authenticated
-  USING (
-    (public.get_current_user_role() NOT IN ('ADMIN', 'WRITER')) AND -- This is the key change
-    (
-      (status = 'published') OR
-      (author_id = (SELECT auth.uid()) AND status <> 'published')
-    )
-  );
-COMMENT ON POLICY "pages_user_authenticated_access" ON public.pages IS 'Authenticated USERS (non-admin/writer) can read published pages or their own drafts. Admin/Writer SELECT via their management policy.';
--- Note: "pages_anon_can_read_published" (FOR SELECT TO anon) should remain unchanged.
--- Note: "pages_admin_writer_management" (FOR ALL TO authenticated USING role IN (ADMIN,WRITER)) should remain unchanged.
--- == POSTS ==
--- Assuming "posts_admin_writer_management" is FOR ALL and covers SELECT for ADMIN/WRITER.
--- Make "posts_authenticated_access" specific to non-ADMIN/WRITER authenticated users.
-DROP POLICY IF EXISTS "posts_authenticated_access" ON public.posts;
-CREATE POLICY "posts_user_authenticated_access" ON public.posts -- Renamed
-  FOR SELECT
-  TO authenticated
-  USING (
-    (public.get_current_user_role() NOT IN ('ADMIN', 'WRITER')) AND -- This is the key change
-    (
-      (status = 'published' AND (published_at IS NULL OR published_at <= now())) OR
-      (author_id = (SELECT auth.uid()) AND status <> 'published')
-    )
-  );
-COMMENT ON POLICY "posts_user_authenticated_access" ON public.posts IS 'Authenticated USERS (non-admin/writer) can read published posts or their own drafts. Admin/Writer SELECT via their management policy.';
--- Note: "posts_anon_can_read_published" (FOR SELECT TO anon) should remain unchanged.
--- Note: "posts_admin_writer_management" (FOR ALL TO authenticated USING role IN (ADMIN,WRITER)) should remain unchanged.
-COMMIT;

package/supabase/migrations/20250526172853_resolve_remaining_rls_v5.sql DELETED Viewed

@@ -1,107 +0,0 @@
--- supabase/migrations/YYYYMMDDHHMMSS_resolve_remaining_rls_v5.sql
--- (Ensure YYYYMMDDHHMMSS is the current timestamp)
-BEGIN;
--- == LANGUAGES ==
--- Drop the policy from v4 that needs auth.role() fix and better role targeting.
-DROP POLICY IF EXISTS "languages_readable_by_anon_and_non_admins" ON public.languages;
--- Policy for anon
-CREATE POLICY "languages_anon_can_read" ON public.languages
-  FOR SELECT TO anon USING (true);
-COMMENT ON POLICY "languages_anon_can_read" ON public.languages IS 'Anonymous users can read languages.';
--- Policy for authenticated USERS (non-admins)
-CREATE POLICY "languages_user_can_read" ON public.languages
-  FOR SELECT TO authenticated
-  USING (public.get_current_user_role() <> 'ADMIN'); -- Allows USER and WRITER (if writer isn't admin)
-COMMENT ON POLICY "languages_user_can_read" ON public.languages IS 'Authenticated non-admin users can read languages.';
--- "languages_admin_management" (FOR ALL TO authenticated USING role = ADMIN) is assumed to be current and handles admin SELECT.
--- == MEDIA ==
--- Drop the policy from v4
-DROP POLICY IF EXISTS "media_readable_by_anon_and_non_privileged_users" ON public.media;
--- Policy for anon
-CREATE POLICY "media_anon_can_read" ON public.media
-  FOR SELECT TO anon USING (true);
-COMMENT ON POLICY "media_anon_can_read" ON public.media IS 'Anonymous users can read media records.';
--- Policy for authenticated USERS (non-admin/writer)
-CREATE POLICY "media_user_can_read" ON public.media
-  FOR SELECT TO authenticated
-  USING (public.get_current_user_role() NOT IN ('ADMIN', 'WRITER'));
-COMMENT ON POLICY "media_user_can_read" ON public.media IS 'Authenticated USERS (non-admin/writer) can read media records.';
--- "media_admin_writer_management" (FOR ALL TO authenticated USING role IN (ADMIN,WRITER)) is assumed current.
--- == NAVIGATION ITEMS ==
--- Drop the policy from v4
-DROP POLICY IF EXISTS "nav_items_readable_by_anon_and_non_admins" ON public.navigation_items;
--- Policy for anon
-CREATE POLICY "nav_items_anon_can_read" ON public.navigation_items
-  FOR SELECT TO anon USING (true);
-COMMENT ON POLICY "nav_items_anon_can_read" ON public.navigation_items IS 'Anonymous users can read navigation items.';
--- Policy for authenticated USERS (non-admins)
-CREATE POLICY "nav_items_user_can_read" ON public.navigation_items
-  FOR SELECT TO authenticated
-  USING (public.get_current_user_role() <> 'ADMIN'); -- Allows USER and WRITER
-COMMENT ON POLICY "nav_items_user_can_read" ON public.navigation_items IS 'Authenticated non-admin users can read navigation items.';
--- "nav_items_admin_management" (FOR ALL TO authenticated USING role = ADMIN) is assumed current.
--- == BLOCKS ==
--- Drop the "blocks_authenticated_user_access" from v4
-DROP POLICY IF EXISTS "blocks_authenticated_user_access" ON public.blocks;
--- Recreate explicitly for USER role to avoid overlap with admin/writer FOR ALL policy
-CREATE POLICY "blocks_user_role_can_read_published_parents" ON public.blocks
-  FOR SELECT
-  TO authenticated
-  USING (
-    (public.get_current_user_role() = 'USER') AND
-    (
-      (page_id IS NOT NULL AND EXISTS(SELECT 1 FROM public.pages p WHERE p.id = blocks.page_id AND p.status = 'published')) OR
-      (post_id IS NOT NULL AND EXISTS(SELECT 1 FROM public.posts pt WHERE pt.id = blocks.post_id AND pt.status = 'published' AND (pt.published_at IS NULL OR pt.published_at <= now())))
-    )
-  );
-COMMENT ON POLICY "blocks_user_role_can_read_published_parents" ON public.blocks IS 'Authenticated USERS can read blocks of published parents. Admin/Writer SELECT via their management policy.';
--- "blocks_anon_can_read_published" (FOR SELECT TO anon) from previous migrations is assumed to be fine.
--- "blocks_admin_writer_management" (FOR ALL TO authenticated USING role IN (ADMIN,WRITER)) is assumed current.
--- == PAGES ==
--- Drop "pages_user_authenticated_access" from v4
-DROP POLICY IF EXISTS "pages_user_authenticated_access" ON public.pages;
--- Recreate explicitly for USER role
-CREATE POLICY "pages_user_role_access" ON public.pages
-  FOR SELECT
-  TO authenticated
-  USING (
-    (public.get_current_user_role() = 'USER') AND
-    (
-      (status = 'published') OR
-      (author_id = (SELECT auth.uid()) AND status <> 'published') -- auth.uid() is fine here as it's specific to USER
-    )
-  );
-COMMENT ON POLICY "pages_user_role_access" ON public.pages IS 'Authenticated USERS can read published pages or their own drafts. Admin/Writer SELECT via their management policy.';
--- "pages_anon_can_read_published" (FOR SELECT TO anon) is assumed fine.
--- "pages_admin_writer_management" (FOR ALL TO authenticated USING role IN (ADMIN,WRITER)) is assumed current.
--- == POSTS ==
--- Drop "posts_user_authenticated_access" from v4
-DROP POLICY IF EXISTS "posts_user_authenticated_access" ON public.posts;
--- Recreate explicitly for USER role
-CREATE POLICY "posts_user_role_access" ON public.posts
-  FOR SELECT
-  TO authenticated
-  USING (
-    (public.get_current_user_role() = 'USER') AND
-    (
-      (status = 'published' AND (published_at IS NULL OR published_at <= now())) OR
-      (author_id = (SELECT auth.uid()) AND status <> 'published') -- auth.uid() is fine here
-    )
-  );
-COMMENT ON POLICY "posts_user_role_access" ON public.posts IS 'Authenticated USERS can read published posts or their own drafts. Admin/Writer SELECT via their management policy.';
--- "posts_anon_can_read_published" (FOR SELECT TO anon) is assumed fine.
--- "posts_admin_writer_management" (FOR ALL TO authenticated USING role IN (ADMIN,WRITER)) is assumed current.
-COMMIT;

package/supabase/migrations/20250526173538_finalize_rls_cleanup_v7.sql DELETED Viewed

@@ -1,110 +0,0 @@
--- supabase/migrations/YYYYMMDDHHMMSS_final_rls_cleanup_v7.sql
--- (Ensure YYMMDDHHMMSS is the current timestamp)
-BEGIN;
--- == BLOCKS ==
--- Conflicting: {blocks_admin_writer_management, blocks_user_role_can_read_published_parents}
--- "blocks_admin_writer_management" is FOR ALL and covers SELECT for ADMIN/WRITER.
--- "blocks_user_role_can_read_published_parents" is for 'USER' role.
--- This structure *should* be fine. The linter might be overly cautious.
--- To be absolutely sure, we ensure "blocks_user_role_can_read_published_parents" only targets 'USER'.
-DROP POLICY IF EXISTS "blocks_user_role_can_read_published_parents" ON public.blocks;
-CREATE POLICY "blocks_user_role_can_read_published_parents" ON public.blocks
-  FOR SELECT
-  TO authenticated
-  USING (
-    (public.get_current_user_role() = 'USER') AND
-    (
-      (page_id IS NOT NULL AND EXISTS(SELECT 1 FROM public.pages p WHERE p.id = blocks.page_id AND p.status = 'published')) OR
-      (post_id IS NOT NULL AND EXISTS(SELECT 1 FROM public.posts pt WHERE pt.id = blocks.post_id AND pt.status = 'published' AND (pt.published_at IS NULL OR pt.published_at <= now())))
-    )
-  );
-COMMENT ON POLICY "blocks_user_role_can_read_published_parents" ON public.blocks IS 'Authenticated USERS can read blocks of published parents. Admin/Writer SELECT via their FOR ALL management policy.';
--- Assuming "blocks_anon_can_read_published" and "blocks_admin_writer_management" (FOR ALL) are correct from previous migrations.
--- == LANGUAGES ==
--- Conflicting: {languages_admin_management, languages_user_can_read}
--- "languages_admin_management" is FOR ALL and covers SELECT for ADMIN.
--- "languages_user_can_read" (from v5) was: TO authenticated USING (public.get_current_user_role() <> 'ADMIN');
--- This should be fine, as an ADMIN would make the USING clause false.
--- To be very explicit for the linter:
-DROP POLICY IF EXISTS "languages_user_can_read" ON public.languages;
-CREATE POLICY "languages_authenticated_non_admin_can_read" ON public.languages
-  FOR SELECT
-  TO authenticated
-  USING (
-    public.get_current_user_role() IN ('USER', 'WRITER') -- Explicitly target USER and WRITER
-  );
-COMMENT ON POLICY "languages_authenticated_non_admin_can_read" ON public.languages IS 'Authenticated USER and WRITER roles can read languages. Admin SELECT via their FOR ALL management policy.';
--- Assuming "languages_anon_can_read" and "languages_admin_management" (FOR ALL) are correct.
--- == MEDIA ==
--- Conflicting: {media_admin_writer_management, media_user_can_read}
--- "media_admin_writer_management" is FOR ALL and covers SELECT for ADMIN/WRITER.
--- "media_user_can_read" (from v5) was: TO authenticated USING (public.get_current_user_role() NOT IN ('ADMIN', 'WRITER'));
--- This should be fine. To be very explicit:
-DROP POLICY IF EXISTS "media_user_can_read" ON public.media;
-CREATE POLICY "media_user_role_can_read" ON public.media
-  FOR SELECT
-  TO authenticated
-  USING (
-    public.get_current_user_role() = 'USER' -- Explicitly target USER role
-  );
-COMMENT ON POLICY "media_user_role_can_read" ON public.media IS 'Authenticated USER role can read media. Admin/Writer SELECT via their FOR ALL management policy.';
--- Assuming "media_anon_can_read" and "media_admin_writer_management" (FOR ALL) are correct.
--- == NAVIGATION ITEMS ==
--- Conflicting: {nav_items_admin_management, nav_items_user_can_read}
--- "nav_items_admin_management" is FOR ALL and covers SELECT for ADMIN.
--- "nav_items_user_can_read" (from v5) was: TO authenticated USING (public.get_current_user_role() <> 'ADMIN');
-DROP POLICY IF EXISTS "nav_items_user_can_read" ON public.navigation_items;
-CREATE POLICY "nav_items_authenticated_non_admin_can_read" ON public.navigation_items
-  FOR SELECT
-  TO authenticated
-  USING (
-    public.get_current_user_role() IN ('USER', 'WRITER') -- Explicitly target USER and WRITER
-  );
-COMMENT ON POLICY "nav_items_authenticated_non_admin_can_read" ON public.navigation_items IS 'Authenticated USER and WRITER roles can read nav items. Admin SELECT via their FOR ALL management policy.';
--- Assuming "nav_items_anon_can_read" and "nav_items_admin_management" (FOR ALL) are correct.
--- == PAGES ==
--- Conflicting: {pages_admin_writer_management, pages_user_role_access}
--- This structure is identical to blocks and should be fine if "pages_user_role_access" correctly targets only USER.
-DROP POLICY IF EXISTS "pages_user_role_access" ON public.pages;
-CREATE POLICY "pages_user_role_can_read" ON public.pages -- Consistent naming
-  FOR SELECT
-  TO authenticated
-  USING (
-    (public.get_current_user_role() = 'USER') AND
-    (
-      (status = 'published') OR
-      (author_id = (SELECT auth.uid()) AND status <> 'published')
-    )
-  );
-COMMENT ON POLICY "pages_user_role_can_read" ON public.pages IS 'Authenticated USERS can read published pages or their own drafts. Admin/Writer SELECT via their FOR ALL management policy.';
--- Assuming "pages_anon_can_read_published" and "pages_admin_writer_management" (FOR ALL) are correct.
--- == POSTS ==
--- Conflicting: {posts_admin_writer_management, posts_user_role_access}
--- This structure is identical to blocks/pages and should be fine if "posts_user_role_access" correctly targets only USER.
-DROP POLICY IF EXISTS "posts_user_role_access" ON public.posts;
-CREATE POLICY "posts_user_role_can_read" ON public.posts -- Consistent naming
-  FOR SELECT
-  TO authenticated
-  USING (
-    (public.get_current_user_role() = 'USER') AND
-    (
-      (status = 'published' AND (published_at IS NULL OR published_at <= now())) OR
-      (author_id = (SELECT auth.uid()) AND status <> 'published')
-    )
-  );
-COMMENT ON POLICY "posts_user_role_can_read" ON public.posts IS 'Authenticated USERS can read published posts or their own drafts. Admin/Writer SELECT via their FOR ALL management policy.';
--- Assuming "posts_anon_can_read_published" and "posts_admin_writer_management" (FOR ALL) are correct.
-COMMIT;

package/supabase/migrations/20250526174710_separate_write_policies_v8.sql DELETED Viewed

@@ -1,147 +0,0 @@
--- supabase/migrations/YYYYMMDDHHMMSS_separate_write_policies_v8.sql
-BEGIN;
--- == PROFILES ==
--- Assuming "authenticated_can_read_profiles" (FOR SELECT) is correctly in place.
--- Define explicit INSERT and leave UPDATE to the existing "authenticated_can_update_profiles" policy.
-DROP POLICY IF EXISTS "admins_can_insert_profiles" ON public.profiles;
-CREATE POLICY "admins_can_insert_profiles" ON public.profiles
-  FOR INSERT
-  TO authenticated
-  WITH CHECK (public.get_current_user_role() = 'ADMIN');
-COMMENT ON POLICY "admins_can_insert_profiles" ON public.profiles IS 'Admins can insert new profiles.';
--- "authenticated_can_update_profiles" (FOR UPDATE) is assumed to be in place and correct.
--- == BLOCKS ==
--- Drop the old "FOR ALL" or "FOR INSERT, UPDATE, DELETE" management policy
-DROP POLICY IF EXISTS "blocks_admin_writer_management" ON public.blocks;
--- Create separate policies for INSERT, UPDATE, DELETE for Admins/Writers
-CREATE POLICY "blocks_admin_writer_can_insert" ON public.blocks
-  FOR INSERT
-  TO authenticated
-  WITH CHECK (public.get_current_user_role() IN ('ADMIN', 'WRITER'));
-COMMENT ON POLICY "blocks_admin_writer_can_insert" ON public.blocks IS 'Admins/Writers can insert blocks.';
-CREATE POLICY "blocks_admin_writer_can_update" ON public.blocks
-  FOR UPDATE
-  TO authenticated
-  USING (public.get_current_user_role() IN ('ADMIN', 'WRITER')) -- USING is relevant for UPDATE
-  WITH CHECK (public.get_current_user_role() IN ('ADMIN', 'WRITER'));
-COMMENT ON POLICY "blocks_admin_writer_can_update" ON public.blocks IS 'Admins/Writers can update blocks.';
-CREATE POLICY "blocks_admin_writer_can_delete" ON public.blocks
-  FOR DELETE
-  TO authenticated
-  USING (public.get_current_user_role() IN ('ADMIN', 'WRITER'));
-COMMENT ON POLICY "blocks_admin_writer_can_delete" ON public.blocks IS 'Admins/Writers can delete blocks.';
--- Assumed SELECT policies: "blocks_anon_can_read_published" and "blocks_user_role_can_read_published_parents" are in place.
--- == LANGUAGES ==
-DROP POLICY IF EXISTS "languages_admin_management" ON public.languages;
-CREATE POLICY "languages_admin_can_insert" ON public.languages
-  FOR INSERT TO authenticated
-  WITH CHECK (public.get_current_user_role() = 'ADMIN');
-COMMENT ON POLICY "languages_admin_can_insert" ON public.languages IS 'Admins can insert languages.';
-CREATE POLICY "languages_admin_can_update" ON public.languages
-  FOR UPDATE TO authenticated
-  USING (public.get_current_user_role() = 'ADMIN')
-  WITH CHECK (public.get_current_user_role() = 'ADMIN');
-COMMENT ON POLICY "languages_admin_can_update" ON public.languages IS 'Admins can update languages.';
-CREATE POLICY "languages_admin_can_delete" ON public.languages
-  FOR DELETE TO authenticated
-  USING (public.get_current_user_role() = 'ADMIN');
-COMMENT ON POLICY "languages_admin_can_delete" ON public.languages IS 'Admins can delete languages.';
--- Assumed SELECT policies: "languages_anon_can_read" and "languages_authenticated_non_admin_can_read" are in place.
--- == MEDIA ==
-DROP POLICY IF EXISTS "media_admin_writer_management" ON public.media;
-CREATE POLICY "media_admin_writer_can_insert" ON public.media
-  FOR INSERT TO authenticated
-  WITH CHECK (public.get_current_user_role() IN ('ADMIN', 'WRITER'));
-COMMENT ON POLICY "media_admin_writer_can_insert" ON public.media IS 'Admins/Writers can insert media.';
-CREATE POLICY "media_admin_writer_can_update" ON public.media
-  FOR UPDATE TO authenticated
-  USING (public.get_current_user_role() IN ('ADMIN', 'WRITER'))
-  WITH CHECK (public.get_current_user_role() IN ('ADMIN', 'WRITER'));
-COMMENT ON POLICY "media_admin_writer_can_update" ON public.media IS 'Admins/Writers can update media.';
-CREATE POLICY "media_admin_writer_can_delete" ON public.media
-  FOR DELETE TO authenticated
-  USING (public.get_current_user_role() IN ('ADMIN', 'WRITER'));
-COMMENT ON POLICY "media_admin_writer_can_delete" ON public.media IS 'Admins/Writers can delete media.';
--- Assumed SELECT policies: "media_anon_can_read" and "media_user_role_can_read" are in place.
--- == NAVIGATION ITEMS ==
-DROP POLICY IF EXISTS "nav_items_admin_management" ON public.navigation_items;
-CREATE POLICY "nav_items_admin_can_insert" ON public.navigation_items
-  FOR INSERT TO authenticated
-  WITH CHECK (public.get_current_user_role() = 'ADMIN');
-COMMENT ON POLICY "nav_items_admin_can_insert" ON public.navigation_items IS 'Admins can insert navigation items.';
-CREATE POLICY "nav_items_admin_can_update" ON public.navigation_items
-  FOR UPDATE TO authenticated
-  USING (public.get_current_user_role() = 'ADMIN')
-  WITH CHECK (public.get_current_user_role() = 'ADMIN');
-COMMENT ON POLICY "nav_items_admin_can_update" ON public.navigation_items IS 'Admins can update navigation items.';
-CREATE POLICY "nav_items_admin_can_delete" ON public.navigation_items
-  FOR DELETE TO authenticated
-  USING (public.get_current_user_role() = 'ADMIN');
-COMMENT ON POLICY "nav_items_admin_can_delete" ON public.navigation_items IS 'Admins can delete navigation items.';
--- Assumed SELECT policies: "nav_items_anon_can_read" and "nav_items_authenticated_non_admin_can_read" are in place.
--- == PAGES ==
-DROP POLICY IF EXISTS "pages_admin_writer_management" ON public.pages;
-CREATE POLICY "pages_admin_writer_can_insert" ON public.pages
-  FOR INSERT TO authenticated
-  WITH CHECK (public.get_current_user_role() IN ('ADMIN', 'WRITER'));
-COMMENT ON POLICY "pages_admin_writer_can_insert" ON public.pages IS 'Admins/Writers can insert pages.';
-CREATE POLICY "pages_admin_writer_can_update" ON public.pages
-  FOR UPDATE TO authenticated
-  USING (public.get_current_user_role() IN ('ADMIN', 'WRITER'))
-  WITH CHECK (public.get_current_user_role() IN ('ADMIN', 'WRITER'));
-COMMENT ON POLICY "pages_admin_writer_can_update" ON public.pages IS 'Admins/Writers can update pages.';
-CREATE POLICY "pages_admin_writer_can_delete" ON public.pages
-  FOR DELETE TO authenticated
-  USING (public.get_current_user_role() IN ('ADMIN', 'WRITER'));
-COMMENT ON POLICY "pages_admin_writer_can_delete" ON public.pages IS 'Admins/Writers can delete pages.';
--- Assumed SELECT policies: "pages_anon_can_read_published" and "pages_user_role_can_read" are in place.
--- == POSTS ==
-DROP POLICY IF EXISTS "posts_admin_writer_management" ON public.posts;
-CREATE POLICY "posts_admin_writer_can_insert" ON public.posts
-  FOR INSERT TO authenticated
-  WITH CHECK (public.get_current_user_role() IN ('ADMIN', 'WRITER'));
-COMMENT ON POLICY "posts_admin_writer_can_insert" ON public.posts IS 'Admins/Writers can insert posts.';
-CREATE POLICY "posts_admin_writer_can_update" ON public.posts
-  FOR UPDATE TO authenticated
-  USING (public.get_current_user_role() IN ('ADMIN', 'WRITER'))
-  WITH CHECK (public.get_current_user_role() IN ('ADMIN', 'WRITER'));
-COMMENT ON POLICY "posts_admin_writer_can_update" ON public.posts IS 'Admins/Writers can update posts.';
-CREATE POLICY "posts_admin_writer_can_delete" ON public.posts
-  FOR DELETE TO authenticated
-  USING (public.get_current_user_role() IN ('ADMIN', 'WRITER'));
-COMMENT ON POLICY "posts_admin_writer_can_delete" ON public.posts IS 'Admins/Writers can delete posts.';
--- Assumed SELECT policies: "posts_anon_can_read_published" and "posts_user_role_can_read" are in place.
-COMMIT;

package/supabase/migrations/20250526175359_fix_languages_select_rls_v9.sql DELETED Viewed

@@ -1,81 +0,0 @@
--- supabase/migrations/YYYYMMDDHHMMSS_fix_languages_select_rls_v9.sql
-BEGIN;
--- == LANGUAGES ==
--- Drop the specific authenticated non-admin policy
-DROP POLICY IF EXISTS "languages_authenticated_non_admin_can_read" ON public.languages;
-DROP POLICY IF EXISTS "languages_user_can_read" ON public.languages; -- If this was the one from v5 attempt
--- Create a simpler, broader SELECT policy for all authenticated users for the languages table.
--- The "multiple_permissive_policies" warning for languages was between "languages_admin_management" (FOR ALL)
--- and "languages_authenticated_non_admin_can_read".
--- If "languages_admin_management" is FOR ALL, it handles SELECT for admins.
--- We need a SELECT policy for authenticated users who are NOT admins.
--- Option 1: Keep admin SELECT via FOR ALL, and add specific for USER/WRITER
--- (This is what was in _v6.sql basically and was still warned by linter, but might be a linter quirk)
--- CREATE POLICY "languages_user_writer_can_read" ON public.languages
---   FOR SELECT TO authenticated
---   USING (public.get_current_user_role() IN ('USER', 'WRITER'));
--- Option 2: Make the "publicly readable" policy truly public for SELECT FOR ALL ROLES,
--- and ensure the admin management policy is ONLY for writes. This was the _v7.sql approach which failed syntax.
--- Let's retry the _v7 approach for *just* the languages table, as it's the most robust against the linter.
--- We need to be absolutely sure about the FOR INSERT, UPDATE, DELETE syntax.
--- If that syntax is the absolute blocker, we're in a tough spot.
--- Assuming the error "JSON object requested, multiple (or no) rows returned" means NO rows were returned,
--- it means NO select policy was satisfied for the 'languages' table by the role executing getNavigationMenu.
--- Let's make languages readable by any authenticated user, plus the existing anon policy.
--- This might re-trigger the "multiple_permissive_policies" if the admin FOR ALL policy is still active,
--- but it should fix the immediate "0 rows returned" error.
-CREATE POLICY "languages_authenticated_can_read" ON public.languages
-  FOR SELECT
-  TO authenticated
-  USING (true); -- Any authenticated user can read languages.
-COMMENT ON POLICY "languages_authenticated_can_read" ON public.languages IS 'Any authenticated user can read languages.';
--- "languages_anon_can_read" (FOR SELECT TO anon USING (true)) should still be active and is fine.
--- "languages_admin_management" (FOR ALL TO authenticated USING role = ADMIN) is assumed to be active.
--- This setup WILL cause a "multiple_permissive_policies" warning for an authenticated ADMIN
--- because "languages_authenticated_can_read" (USING true) and the SELECT part of
--- "languages_admin_management" (USING role=ADMIN) will both apply.
--- The root cause of the "0 rows returned" is that *neither* of the v6 policies for authenticated
--- was being met by the server-side client running getNavigationMenu, OR the client was anon
--- and "languages_anon_can_read" was somehow not effective or missing.
--- To ensure the `getNavigationMenu` function works for ANY role calling it:
--- Let's reinstate a very simple public read policy for languages.
--- This was the original policy from `20250514143016_setup_languages_table.sql`:
--- `CREATE POLICY "languages_are_publicly_readable" ON public.languages FOR SELECT TO anon, authenticated USING (true);`
--- This was later split.
--- Cleanest approach to fix the immediate error, and then we can re-evaluate the linter:
--- Ensure there's one policy that makes languages readable to everyone for SELECT.
-DROP POLICY IF EXISTS "languages_anon_can_read" ON public.languages;
-DROP POLICY IF EXISTS "languages_user_can_read" ON public.languages;
-DROP POLICY IF EXISTS "languages_authenticated_non_admin_can_read" ON public.languages;
-DROP POLICY IF EXISTS "languages_authenticated_can_read" ON public.languages;
-DROP POLICY IF EXISTS "languages_are_publicly_readable_by_all" ON public.languages; -- from _v2
-DROP POLICY IF EXISTS "languages_are_publicly_readable" ON public.languages; -- from original
-CREATE POLICY "languages_are_publicly_readable_for_all_roles" ON public.languages
-  FOR SELECT
-  USING (true); -- This allows 'anon' and all types of 'authenticated' users to read.
-COMMENT ON POLICY "languages_are_publicly_readable_for_all_roles" ON public.languages IS 'All roles (anon, authenticated) can read from the languages table.';
--- The "languages_admin_management" policy (FOR ALL TO authenticated USING role=ADMIN) will still exist.
--- This WILL re-introduce the "multiple_permissive_policies" warning for `languages` for `authenticated SELECT`,
--- because an authenticated ADMIN will match both this new public read policy and their FOR ALL management policy.
--- However, it should fix your immediate "Error fetching language ID" error.
--- If the `FOR INSERT, UPDATE, DELETE` syntax was the true blocker, and you *must* use `FOR ALL` for admin management,
--- then the previous "mutually exclusive USING clause" approach was logically correct but the linter didn't like it.
--- The above `languages_are_publicly_readable_for_all_roles` is the simplest way to ensure reads, at the cost of a linter warning.
-COMMIT;

package/supabase/migrations/20250526182940_fix_nav_read_policy_v10.sql DELETED Viewed

@@ -1,27 +0,0 @@
--- supabase/migrations/YYYYMMDDHHMMSS_fix_nav_read_policy_v10.sql
-BEGIN;
--- == NAVIGATION ITEMS ==
--- Drop the existing SELECT policy for authenticated non-admins, as we'll replace it with a broader one.
-DROP POLICY IF EXISTS "nav_items_authenticated_non_admin_can_read" ON public.navigation_items;
--- Also drop older name if it somehow exists from v5 attempt
-DROP POLICY IF EXISTS "nav_items_user_can_read" ON public.navigation_items;
--- Create a policy that allows ALL authenticated users to read navigation items.
--- This will cover USER, WRITER, and ADMIN roles for SELECT.
-CREATE POLICY "nav_items_authenticated_can_read" ON public.navigation_items
-  FOR SELECT
-  TO authenticated
-  USING (true); -- Any authenticated user can read all navigation items.
-COMMENT ON POLICY "nav_items_authenticated_can_read" ON public.navigation_items IS 'All authenticated users (USER, WRITER, ADMIN) can read navigation items.';
--- The following policies are assumed to be correctly in place and should remain:
--- 1. "nav_items_anon_can_read" ON public.navigation_items FOR SELECT TO anon USING (true);
--- 2. "nav_items_admin_can_insert" ON public.navigation_items FOR INSERT TO authenticated WITH CHECK (public.get_current_user_role() = 'ADMIN');
--- 3. "nav_items_admin_can_update" ON public.navigation_items FOR UPDATE TO authenticated USING (public.get_current_user_role() = 'ADMIN') WITH CHECK (public.get_current_user_role() = 'ADMIN');
--- 4. "nav_items_admin_can_delete" ON public.navigation_items FOR DELETE TO authenticated USING (public.get_current_user_role() = 'ADMIN');
-COMMIT;

package/supabase/migrations/20250526183239_fix_posts_read_rls_v11.sql DELETED Viewed

@@ -1,59 +0,0 @@
--- supabase/migrations/YYYYMMDDHHMMSS_fix_posts_read_rls_v11.sql
-BEGIN;
--- == POSTS ==
--- Drop the existing specific SELECT policy for USER role if it exists
-DROP POLICY IF EXISTS "posts_user_role_can_read" ON public.posts;
--- Drop any older variations that might exist from previous attempts
-DROP POLICY IF EXISTS "posts_user_authenticated_access" ON public.posts;
-DROP POLICY IF EXISTS "posts_authenticated_access" ON public.posts;
--- Policy for anonymous users to read published posts (should already exist, ensure it's correct)
-DROP POLICY IF EXISTS "posts_anon_can_read_published" ON public.posts;
-CREATE POLICY "posts_anon_can_read_published" ON public.posts
-  FOR SELECT
-  TO anon
-  USING (status = 'published' AND (published_at IS NULL OR published_at <= now()));
-COMMENT ON POLICY "posts_anon_can_read_published" ON public.posts IS 'Anonymous users can read published posts.';
--- Policy for ALL authenticated users to read PUBLISHED posts.
--- This covers USER, WRITER, and ADMIN for viewing public, published content.
-CREATE POLICY "posts_authenticated_can_read_published" ON public.posts
-  FOR SELECT
-  TO authenticated
-  USING (status = 'published' AND (published_at IS NULL OR published_at <= now()));
-COMMENT ON POLICY "posts_authenticated_can_read_published" ON public.posts IS 'All authenticated users can read published posts.';
--- Policy for authenticated users (authors) to read their OWN DRAFTS/non-published posts.
--- This is important for CMS previews or if authors can view their non-live content.
-DROP POLICY IF EXISTS "posts_authors_can_read_own_drafts" ON public.posts;
-CREATE POLICY "posts_authors_can_read_own_drafts" ON public.posts
-  FOR SELECT
-  TO authenticated
-  USING (author_id = (SELECT auth.uid()) AND status <> 'published');
-COMMENT ON POLICY "posts_authors_can_read_own_drafts" ON public.posts IS 'Authenticated authors can read their own non-published posts.';
--- The admin/writer management policies for INSERT, UPDATE, DELETE remain as they are (write-only).
--- e.g., "posts_admin_writer_can_insert", "posts_admin_writer_can_update", "posts_admin_writer_can_delete"
--- These do NOT provide SELECT access.
--- Optional: If you need ADMINs/WRITERs to be able to SELECT *ALL* posts (including drafts of others)
--- for CMS management purposes (e.g., in the /cms/posts listing page), you would need an
--- additional policy or ensure their management policy was FOR ALL.
--- However, for public site rendering (getPostDataBySlug), the above should be sufficient.
--- If your CMS listing page for posts also breaks for ADMIN/WRITER, you might need:
--- CREATE POLICY "posts_admin_writer_can_read_all_for_cms" ON public.posts
---   FOR SELECT
---   TO authenticated
---   USING (public.get_current_user_role() IN ('ADMIN', 'WRITER'));
--- This WILL re-introduce a "multiple_permissive_policies" warning for ADMIN/WRITER on SELECT,
--- as they would match this AND "posts_authenticated_can_read_published".
--- For now, let's stick to fixing public reads. The CMS read access might be handled differently or might need its own policy.
-COMMIT;