snipe-auth-rbac 0.2.0 → 0.3.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "snipe-auth-rbac",
-  "version": "0.2.0",
+  "version": "0.3.0",
   "description": "Two-layer RBAC (system + company) for React, Next.js, and any modern TS app — paired with the Python sibling.",
   "license": "MIT",
   "type": "module",

package/sql/0001_initial.sql

@@ -509,4 +509,114 @@ DO $$ BEGIN
     END IF;
 END $$;
 
+-- ─────────────────────────────────────────────────────────────────
+-- 11. Table-level grants + Row-Level Security
+--
+-- The admin module under `snipe-auth-rbac/admin` reads + writes
+-- rbac.* tables directly via PostgREST (`.from('roles').select()`)
+-- so the matrix UI can render. That requires per-table grants —
+-- USAGE on the schema isn't enough on its own.
+--
+-- Strategy:
+--   * GRANT CRUD on every rbac.* table to `authenticated`.
+--   * Layer RLS so reads are wide enough for the admin UI but
+--     writes are super-admin only by default.
+--   * service_role keeps full access (backend / migrations / admin
+--     scripts use service_role).
+--
+-- Adopters who want a different access model (e.g. delegate role
+-- editing to non-super admins) replace the WRITE policies after
+-- this file applies.
+-- ─────────────────────────────────────────────────────────────────
+
+-- is_super_admin: convenience helper used by the policies below.
+-- SECURITY DEFINER so a policy can call it without recursing into
+-- RLS on the very tables it inspects.
+CREATE OR REPLACE FUNCTION rbac.is_super_admin()
+RETURNS boolean
+LANGUAGE sql
+STABLE
+SECURITY DEFINER
+SET search_path = rbac, public
+AS $$
+  SELECT EXISTS (
+    SELECT 1
+      FROM rbac.user_system_roles usr
+      JOIN rbac.roles r ON r.id = usr.role_id
+     WHERE usr.user_id = auth.uid()
+       AND r.is_super
+  );
+$$;
+
+DO $$ BEGIN
+    IF EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'authenticated') THEN
+        EXECUTE 'GRANT EXECUTE ON FUNCTION rbac.is_super_admin() TO authenticated';
+        EXECUTE 'GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA rbac TO authenticated';
+    END IF;
+    IF EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'service_role') THEN
+        EXECUTE 'GRANT ALL ON ALL TABLES IN SCHEMA rbac TO service_role';
+        EXECUTE 'GRANT ALL ON ALL SEQUENCES IN SCHEMA rbac TO service_role';
+        EXECUTE 'ALTER DEFAULT PRIVILEGES IN SCHEMA rbac GRANT ALL ON TABLES TO service_role';
+    END IF;
+END $$;
+
+ALTER TABLE rbac.companies          ENABLE ROW LEVEL SECURITY;
+ALTER TABLE rbac.resources          ENABLE ROW LEVEL SECURITY;
+ALTER TABLE rbac.roles              ENABLE ROW LEVEL SECURITY;
+ALTER TABLE rbac.role_permissions   ENABLE ROW LEVEL SECURITY;
+ALTER TABLE rbac.user_system_roles  ENABLE ROW LEVEL SECURITY;
+ALTER TABLE rbac.user_company_roles ENABLE ROW LEVEL SECURITY;
+
+-- READ — open to any authenticated user for static config tables;
+-- own-row only on assignment tables (super-admin sees all).
+DROP POLICY IF EXISTS rbac_companies_read       ON rbac.companies;
+CREATE POLICY rbac_companies_read       ON rbac.companies       FOR SELECT TO authenticated USING (true);
+
+DROP POLICY IF EXISTS rbac_resources_read       ON rbac.resources;
+CREATE POLICY rbac_resources_read       ON rbac.resources       FOR SELECT TO authenticated USING (true);
+
+DROP POLICY IF EXISTS rbac_roles_read            ON rbac.roles;
+CREATE POLICY rbac_roles_read            ON rbac.roles            FOR SELECT TO authenticated USING (true);
+
+DROP POLICY IF EXISTS rbac_role_permissions_read ON rbac.role_permissions;
+CREATE POLICY rbac_role_permissions_read ON rbac.role_permissions FOR SELECT TO authenticated USING (true);
+
+DROP POLICY IF EXISTS rbac_user_system_roles_read  ON rbac.user_system_roles;
+CREATE POLICY rbac_user_system_roles_read  ON rbac.user_system_roles  FOR SELECT TO authenticated
+  USING (user_id = auth.uid() OR rbac.is_super_admin());
+
+DROP POLICY IF EXISTS rbac_user_company_roles_read ON rbac.user_company_roles;
+CREATE POLICY rbac_user_company_roles_read ON rbac.user_company_roles FOR SELECT TO authenticated
+  USING (user_id = auth.uid() OR rbac.is_super_admin());
+
+-- WRITE — super-admin only across the board. Adopters override
+-- after this file applies to delegate role editing further.
+DROP POLICY IF EXISTS rbac_companies_write          ON rbac.companies;
+CREATE POLICY rbac_companies_write          ON rbac.companies          FOR ALL TO authenticated
+  USING (rbac.is_super_admin()) WITH CHECK (rbac.is_super_admin());
+
+DROP POLICY IF EXISTS rbac_resources_write          ON rbac.resources;
+CREATE POLICY rbac_resources_write          ON rbac.resources          FOR ALL TO authenticated
+  USING (rbac.is_super_admin()) WITH CHECK (rbac.is_super_admin());
+
+DROP POLICY IF EXISTS rbac_roles_write              ON rbac.roles;
+CREATE POLICY rbac_roles_write              ON rbac.roles              FOR ALL TO authenticated
+  USING (rbac.is_super_admin()) WITH CHECK (rbac.is_super_admin());
+
+DROP POLICY IF EXISTS rbac_role_permissions_write   ON rbac.role_permissions;
+CREATE POLICY rbac_role_permissions_write   ON rbac.role_permissions   FOR ALL TO authenticated
+  USING (rbac.is_super_admin()) WITH CHECK (rbac.is_super_admin());
+
+DROP POLICY IF EXISTS rbac_user_system_roles_write  ON rbac.user_system_roles;
+CREATE POLICY rbac_user_system_roles_write  ON rbac.user_system_roles  FOR ALL TO authenticated
+  USING (rbac.is_super_admin()) WITH CHECK (rbac.is_super_admin());
+
+DROP POLICY IF EXISTS rbac_user_company_roles_write ON rbac.user_company_roles;
+CREATE POLICY rbac_user_company_roles_write ON rbac.user_company_roles FOR ALL TO authenticated
+  USING (rbac.is_super_admin()) WITH CHECK (rbac.is_super_admin());
+
 COMMIT;
+
+-- Tell PostgREST to refresh schema cache so the policies + grants
+-- propagate without a manual reload.
+NOTIFY pgrst, 'reload config';