snipe-auth-rbac 0.2.1 → 0.3.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "snipe-auth-rbac",
-  "version": "0.2.1",
+  "version": "0.3.1",
   "description": "Two-layer RBAC (system + company) for React, Next.js, and any modern TS app — paired with the Python sibling.",
   "license": "MIT",
   "type": "module",

package/sql/0001_initial.sql

@@ -509,4 +509,114 @@ DO $$ BEGIN
     END IF;
 END $$;
 
+-- ─────────────────────────────────────────────────────────────────
+-- 11. Table-level grants + Row-Level Security
+--
+-- The admin module under `snipe-auth-rbac/admin` reads + writes
+-- rbac.* tables directly via PostgREST (`.from('roles').select()`)
+-- so the matrix UI can render. That requires per-table grants —
+-- USAGE on the schema isn't enough on its own.
+--
+-- Strategy:
+--   * GRANT CRUD on every rbac.* table to `authenticated`.
+--   * Layer RLS so reads are wide enough for the admin UI but
+--     writes are super-admin only by default.
+--   * service_role keeps full access (backend / migrations / admin
+--     scripts use service_role).
+--
+-- Adopters who want a different access model (e.g. delegate role
+-- editing to non-super admins) replace the WRITE policies after
+-- this file applies.
+-- ─────────────────────────────────────────────────────────────────
+
+-- is_super_admin: convenience helper used by the policies below.
+-- SECURITY DEFINER so a policy can call it without recursing into
+-- RLS on the very tables it inspects.
+CREATE OR REPLACE FUNCTION rbac.is_super_admin()
+RETURNS boolean
+LANGUAGE sql
+STABLE
+SECURITY DEFINER
+SET search_path = rbac, public
+AS $$
+  SELECT EXISTS (
+    SELECT 1
+      FROM rbac.user_system_roles usr
+      JOIN rbac.roles r ON r.id = usr.role_id
+     WHERE usr.user_id = auth.uid()
+       AND r.is_super
+  );
+$$;
+
+DO $$ BEGIN
+    IF EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'authenticated') THEN
+        EXECUTE 'GRANT EXECUTE ON FUNCTION rbac.is_super_admin() TO authenticated';
+        EXECUTE 'GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA rbac TO authenticated';
+    END IF;
+    IF EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'service_role') THEN
+        EXECUTE 'GRANT ALL ON ALL TABLES IN SCHEMA rbac TO service_role';
+        EXECUTE 'GRANT ALL ON ALL SEQUENCES IN SCHEMA rbac TO service_role';
+        EXECUTE 'ALTER DEFAULT PRIVILEGES IN SCHEMA rbac GRANT ALL ON TABLES TO service_role';
+    END IF;
+END $$;
+
+ALTER TABLE rbac.companies          ENABLE ROW LEVEL SECURITY;
+ALTER TABLE rbac.resources          ENABLE ROW LEVEL SECURITY;
+ALTER TABLE rbac.roles              ENABLE ROW LEVEL SECURITY;
+ALTER TABLE rbac.role_permissions   ENABLE ROW LEVEL SECURITY;
+ALTER TABLE rbac.user_system_roles  ENABLE ROW LEVEL SECURITY;
+ALTER TABLE rbac.user_company_roles ENABLE ROW LEVEL SECURITY;
+
+-- READ — open to any authenticated user for static config tables;
+-- own-row only on assignment tables (super-admin sees all).
+DROP POLICY IF EXISTS rbac_companies_read       ON rbac.companies;
+CREATE POLICY rbac_companies_read       ON rbac.companies       FOR SELECT TO authenticated USING (true);
+
+DROP POLICY IF EXISTS rbac_resources_read       ON rbac.resources;
+CREATE POLICY rbac_resources_read       ON rbac.resources       FOR SELECT TO authenticated USING (true);
+
+DROP POLICY IF EXISTS rbac_roles_read            ON rbac.roles;
+CREATE POLICY rbac_roles_read            ON rbac.roles            FOR SELECT TO authenticated USING (true);
+
+DROP POLICY IF EXISTS rbac_role_permissions_read ON rbac.role_permissions;
+CREATE POLICY rbac_role_permissions_read ON rbac.role_permissions FOR SELECT TO authenticated USING (true);
+
+DROP POLICY IF EXISTS rbac_user_system_roles_read  ON rbac.user_system_roles;
+CREATE POLICY rbac_user_system_roles_read  ON rbac.user_system_roles  FOR SELECT TO authenticated
+  USING (user_id = auth.uid() OR rbac.is_super_admin());
+
+DROP POLICY IF EXISTS rbac_user_company_roles_read ON rbac.user_company_roles;
+CREATE POLICY rbac_user_company_roles_read ON rbac.user_company_roles FOR SELECT TO authenticated
+  USING (user_id = auth.uid() OR rbac.is_super_admin());
+
+-- WRITE — super-admin only across the board. Adopters override
+-- after this file applies to delegate role editing further.
+DROP POLICY IF EXISTS rbac_companies_write          ON rbac.companies;
+CREATE POLICY rbac_companies_write          ON rbac.companies          FOR ALL TO authenticated
+  USING (rbac.is_super_admin()) WITH CHECK (rbac.is_super_admin());
+
+DROP POLICY IF EXISTS rbac_resources_write          ON rbac.resources;
+CREATE POLICY rbac_resources_write          ON rbac.resources          FOR ALL TO authenticated
+  USING (rbac.is_super_admin()) WITH CHECK (rbac.is_super_admin());
+
+DROP POLICY IF EXISTS rbac_roles_write              ON rbac.roles;
+CREATE POLICY rbac_roles_write              ON rbac.roles              FOR ALL TO authenticated
+  USING (rbac.is_super_admin()) WITH CHECK (rbac.is_super_admin());
+
+DROP POLICY IF EXISTS rbac_role_permissions_write   ON rbac.role_permissions;
+CREATE POLICY rbac_role_permissions_write   ON rbac.role_permissions   FOR ALL TO authenticated
+  USING (rbac.is_super_admin()) WITH CHECK (rbac.is_super_admin());
+
+DROP POLICY IF EXISTS rbac_user_system_roles_write  ON rbac.user_system_roles;
+CREATE POLICY rbac_user_system_roles_write  ON rbac.user_system_roles  FOR ALL TO authenticated
+  USING (rbac.is_super_admin()) WITH CHECK (rbac.is_super_admin());
+
+DROP POLICY IF EXISTS rbac_user_company_roles_write ON rbac.user_company_roles;
+CREATE POLICY rbac_user_company_roles_write ON rbac.user_company_roles FOR ALL TO authenticated
+  USING (rbac.is_super_admin()) WITH CHECK (rbac.is_super_admin());
+
 COMMIT;
+
+-- Tell PostgREST to refresh schema cache so the policies + grants
+-- propagate without a manual reload.
+NOTIFY pgrst, 'reload config';

package/sql/0002_seed_defaults.sql

@@ -1,32 +1,42 @@
 -- snipe-auth-rbac — optional default seed
 --
 -- Companion to 0001_initial.sql that seeds:
---   * Two system roles (System Admin with is_super=true, System Support).
---   * Four generic company-role templates (Owner / Manager / Member /
---     Viewer) with sensible default_permissions patterns.
+--   * Two system roles (System-Administrator with is_super=true,
+--     System-Support).
+--   * Four generic company-role templates (Inhaber / Verwalter /
+--     Mitarbeiter / Leser) with sensible default_permissions
+--     patterns.
 --
--- The four templates use only the `default` action set — they don't
--- reference specific resources or groups, since those are defined by
--- the host. After registering host resources, run
--- ``rbac.apply_template_defaults(role_id)`` to materialise the matrix.
+-- Names are in German — that's the package's primary target
+-- audience (German property-management / SaaS). Adopters who
+-- prefer English names skip this file and seed their own.
 --
--- Domain-specific templates (Property Manager, Tenant Manager,
--- Sales, …) belong in the host's own seed migration where their
--- group/resource defaults can reference real registered resources.
+-- The four templates use only the `default` action set — they
+-- don't reference specific resources or groups, since those are
+-- defined by the host. After registering host resources, run
+-- ``rbac.apply_template_defaults(role_id)`` to materialise the
+-- matrix.
+--
+-- Domain-specific templates (Liegenschaftsverwalter,
+-- Mieterverwalter, Vertrieb, Gutachter, Anwalt, Mieter) belong in
+-- the host's own seed migration where their group/resource
+-- defaults can reference real registered resources.
 --
 -- Idempotent: every INSERT uses ON CONFLICT DO NOTHING. Re-running
--- the file leaves an existing deployment untouched.
+-- the file leaves an existing deployment untouched. Note: this
+-- means upgrading from v0.3.0 (English names) does NOT auto-rename
+-- — see CHANGELOG for the rename snippet.
 
 BEGIN;
 
 -- System roles
 INSERT INTO rbac.roles (id, scope, company_id, name, description, is_system, is_super, default_permissions)
 VALUES
-  (gen_random_uuid(), 'system', NULL, 'System Admin',
+  (gen_random_uuid(), 'system', NULL, 'System-Administrator',
    'Plattform-Vollzugriff. Setzt jede Berechtigungsprüfung außer Kraft.',
    true, true,
    '{"default": ["read", "write", "update", "delete"]}'::jsonb),
-  (gen_random_uuid(), 'system', NULL, 'System Support',
+  (gen_random_uuid(), 'system', NULL, 'System-Support',
    'Lesezugriff auf systemweite Ressourcen für Support-Aufgaben.',
    true, false,
    '{"default": ["read"]}'::jsonb)
@@ -36,19 +46,19 @@ ON CONFLICT DO NOTHING;
 -- Generic shapes only; domain-specific defaults are the host's job.
 INSERT INTO rbac.roles (id, scope, company_id, name, description, is_system, is_super, default_permissions)
 VALUES
-  (gen_random_uuid(), 'company', NULL, 'Owner',
-   'Vollzugriff innerhalb der eigenen Company.',
+  (gen_random_uuid(), 'company', NULL, 'Inhaber',
+   'Vollzugriff innerhalb des eigenen Mandanten.',
    true, false,
    '{"default": ["read", "write", "update", "delete"]}'::jsonb),
-  (gen_random_uuid(), 'company', NULL, 'Manager',
-   'Verwaltet Daten der Company, kann Rollen ändern. Kein Löschen.',
+  (gen_random_uuid(), 'company', NULL, 'Verwalter',
+   'Verwaltet Daten des Mandanten, kann Rollen ändern. Kein Löschen.',
    true, false,
    '{"default": ["read", "write", "update"]}'::jsonb),
-  (gen_random_uuid(), 'company', NULL, 'Member',
+  (gen_random_uuid(), 'company', NULL, 'Mitarbeiter',
    'Standard-Mitarbeiter mit Lese- und Schreibzugriff.',
    true, false,
    '{"default": ["read", "write"]}'::jsonb),
-  (gen_random_uuid(), 'company', NULL, 'Viewer',
+  (gen_random_uuid(), 'company', NULL, 'Leser',
    'Nur Lesezugriff.',
    true, false,
    '{"default": ["read"]}'::jsonb)