-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsample_security_policies.sql
executable file
·228 lines (190 loc) · 5.97 KB
/
sample_security_policies.sql
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
-- Supabase Sample Security Policies
-- This file contains example Row Level Security (RLS) policies for common use cases.
-- Modify these examples to fit your specific schema and requirements.
-- Enable Row Level Security on all tables
-- =======================================
-- Enable RLS on a profiles table
ALTER TABLE IF EXISTS public.profiles ENABLE ROW LEVEL SECURITY;
-- Enable RLS on a posts table
ALTER TABLE IF EXISTS public.posts ENABLE ROW LEVEL SECURITY;
-- Enable RLS on a comments table
ALTER TABLE IF EXISTS public.comments ENABLE ROW LEVEL SECURITY;
-- Enable RLS on a todos table
ALTER TABLE IF EXISTS public.todos ENABLE ROW LEVEL SECURITY;
-- Basic Security Policies
-- ======================
-- 1. Users can view their own profiles
CREATE POLICY IF NOT EXISTS "Users can view their own profiles"
ON public.profiles
FOR SELECT
USING (auth.uid() = user_id);
-- 2. Users can update their own profiles
CREATE POLICY IF NOT EXISTS "Users can update their own profiles"
ON public.profiles
FOR UPDATE
USING (auth.uid() = user_id);
-- 3. Users can view their own posts
CREATE POLICY IF NOT EXISTS "Users can view their own posts"
ON public.posts
FOR SELECT
USING (auth.uid() = user_id);
-- 4. Users can create their own posts
CREATE POLICY IF NOT EXISTS "Users can create their own posts"
ON public.posts
FOR INSERT
WITH CHECK (auth.uid() = user_id);
-- 5. Users can update their own posts
CREATE POLICY IF NOT EXISTS "Users can update their own posts"
ON public.posts
FOR UPDATE
USING (auth.uid() = user_id);
-- 6. Users can delete their own posts
CREATE POLICY IF NOT EXISTS "Users can delete their own posts"
ON public.posts
FOR DELETE
USING (auth.uid() = user_id);
-- Advanced Security Policies
-- =========================
-- 1. Public posts are visible to everyone
CREATE POLICY IF NOT EXISTS "Public posts are visible to everyone"
ON public.posts
FOR SELECT
USING (is_public = true);
-- 2. Users can view comments on their posts
CREATE POLICY IF NOT EXISTS "Users can view comments on their posts"
ON public.comments
FOR SELECT
USING (
auth.uid() IN (
SELECT user_id FROM public.posts WHERE id = public.comments.post_id
)
);
-- 3. Users can view comments they created
CREATE POLICY IF NOT EXISTS "Users can view comments they created"
ON public.comments
FOR SELECT
USING (auth.uid() = user_id);
-- 4. Users can create comments on public posts
CREATE POLICY IF NOT EXISTS "Users can create comments on public posts"
ON public.comments
FOR INSERT
WITH CHECK (
auth.uid() = user_id AND
EXISTS (
SELECT 1 FROM public.posts
WHERE id = public.comments.post_id AND is_public = true
)
);
-- 5. Users can create comments on their own posts
CREATE POLICY IF NOT EXISTS "Users can create comments on their own posts"
ON public.comments
FOR INSERT
WITH CHECK (
auth.uid() = user_id AND
EXISTS (
SELECT 1 FROM public.posts
WHERE id = public.comments.post_id AND user_id = auth.uid()
)
);
-- Role-Based Security Policies
-- ===========================
-- 1. Admins can view all profiles
CREATE POLICY IF NOT EXISTS "Admins can view all profiles"
ON public.profiles
FOR SELECT
USING (
auth.jwt() ->> 'role' = 'admin'
);
-- 2. Admins can update all profiles
CREATE POLICY IF NOT EXISTS "Admins can update all profiles"
ON public.profiles
FOR UPDATE
USING (
auth.jwt() ->> 'role' = 'admin'
);
-- 3. Admins can view all posts
CREATE POLICY IF NOT EXISTS "Admins can view all posts"
ON public.posts
FOR SELECT
USING (
auth.jwt() ->> 'role' = 'admin'
);
-- 4. Admins can update all posts
CREATE POLICY IF NOT EXISTS "Admins can update all posts"
ON public.posts
FOR UPDATE
USING (
auth.jwt() ->> 'role' = 'admin'
);
-- 5. Admins can delete all posts
CREATE POLICY IF NOT EXISTS "Admins can delete all posts"
ON public.posts
FOR DELETE
USING (
auth.jwt() ->> 'role' = 'admin'
);
-- Storage Bucket Policies
-- ======================
-- 1. Users can view their own files
CREATE POLICY IF NOT EXISTS "Users can view their own files"
ON storage.objects
FOR SELECT
USING (auth.uid()::text = owner);
-- 2. Users can upload their own files
CREATE POLICY IF NOT EXISTS "Users can upload their own files"
ON storage.objects
FOR INSERT
WITH CHECK (auth.uid()::text = owner);
-- 3. Users can update their own files
CREATE POLICY IF NOT EXISTS "Users can update their own files"
ON storage.objects
FOR UPDATE
USING (auth.uid()::text = owner);
-- 4. Users can delete their own files
CREATE POLICY IF NOT EXISTS "Users can delete their own files"
ON storage.objects
FOR DELETE
USING (auth.uid()::text = owner);
-- 5. Public files are viewable by everyone
CREATE POLICY IF NOT EXISTS "Public files are viewable by everyone"
ON storage.objects
FOR SELECT
USING (bucket_id = 'public');
-- Todo App Example
-- ===============
-- 1. Users can view their own todos
CREATE POLICY IF NOT EXISTS "Users can view their own todos"
ON public.todos
FOR SELECT
USING (auth.uid() = user_id);
-- 2. Users can create their own todos
CREATE POLICY IF NOT EXISTS "Users can create their own todos"
ON public.todos
FOR INSERT
WITH CHECK (auth.uid() = user_id);
-- 3. Users can update their own todos
CREATE POLICY IF NOT EXISTS "Users can update their own todos"
ON public.todos
FOR UPDATE
USING (auth.uid() = user_id);
-- 4. Users can delete their own todos
CREATE POLICY IF NOT EXISTS "Users can delete their own todos"
ON public.todos
FOR DELETE
USING (auth.uid() = user_id);
-- 5. Users can view shared todos
CREATE POLICY IF NOT EXISTS "Users can view shared todos"
ON public.todos
FOR SELECT
USING (
auth.uid() = ANY(shared_with)
);
-- 6. Users can update shared todos
CREATE POLICY IF NOT EXISTS "Users can update shared todos"
ON public.todos
FOR UPDATE
USING (
auth.uid() = ANY(shared_with)
);
-- Note: These are example policies. You should adapt them to your specific
-- database schema and application requirements.