security: fix 6 critical RLS vulns, SHA-256 hash, DSGVO [GELÖSCHT], completed status
Some checks failed
Staging Build / build (push) Has been cancelled

This commit is contained in:
DanielS
2026-07-06 22:39:05 +02:00
parent 3d938d29fc
commit 2d44dd4c58
7 changed files with 139 additions and 22 deletions

View File

@@ -0,0 +1,104 @@
-- Migration: Fix critical RLS security issues
-- 1. Restrict products/modules/categories CRUD to admin role only
-- 2. Restrict settings table to admin role only
-- 3. Remove USING(true) wildcard policies on companies/partners
-- ═══════════════════════════════════════════════════════════════════════════════
-- 1. Products: Replace overly permissive CRUD policies with admin-only
-- ═══════════════════════════════════════════════════════════════════════════════
DROP POLICY IF EXISTS "Allow authenticated insert on products" ON public.products;
DROP POLICY IF EXISTS "Allow authenticated update on products" ON public.products;
DROP POLICY IF EXISTS "Allow authenticated delete on products" ON public.products;
CREATE POLICY "Admin insert products" ON public.products FOR INSERT
WITH CHECK ((SELECT role FROM public.users WHERE id = auth.uid()) = 'admin');
CREATE POLICY "Admin update products" ON public.products FOR UPDATE
USING ((SELECT role FROM public.users WHERE id = auth.uid()) = 'admin');
CREATE POLICY "Admin delete products" ON public.products FOR DELETE
USING ((SELECT role FROM public.users WHERE id = auth.uid()) = 'admin');
-- ═══════════════════════════════════════════════════════════════════════════════
-- 2. Product Modules: Same fix
-- ═══════════════════════════════════════════════════════════════════════════════
DROP POLICY IF EXISTS "Allow authenticated insert on product_modules" ON public.product_modules;
DROP POLICY IF EXISTS "Allow authenticated update on product_modules" ON public.product_modules;
DROP POLICY IF EXISTS "Allow authenticated delete on product_modules" ON public.product_modules;
CREATE POLICY "Admin insert product_modules" ON public.product_modules FOR INSERT
WITH CHECK ((SELECT role FROM public.users WHERE id = auth.uid()) = 'admin');
CREATE POLICY "Admin update product_modules" ON public.product_modules FOR UPDATE
USING ((SELECT role FROM public.users WHERE id = auth.uid()) = 'admin');
CREATE POLICY "Admin delete product_modules" ON public.product_modules FOR DELETE
USING ((SELECT role FROM public.users WHERE id = auth.uid()) = 'admin');
-- ═══════════════════════════════════════════════════════════════════════════════
-- 3. Categories: Same fix
-- ═══════════════════════════════════════════════════════════════════════════════
DROP POLICY IF EXISTS "Allow authenticated insert on categories" ON public.categories;
DROP POLICY IF EXISTS "Allow authenticated update on categories" ON public.categories;
DROP POLICY IF EXISTS "Allow authenticated delete on categories" ON public.categories;
CREATE POLICY "Admin insert categories" ON public.categories FOR INSERT
WITH CHECK ((SELECT role FROM public.users WHERE id = auth.uid()) = 'admin');
CREATE POLICY "Admin update categories" ON public.categories FOR UPDATE
USING ((SELECT role FROM public.users WHERE id = auth.uid()) = 'admin');
CREATE POLICY "Admin delete categories" ON public.categories FOR DELETE
USING ((SELECT role FROM public.users WHERE id = auth.uid()) = 'admin');
-- ═══════════════════════════════════════════════════════════════════════════════
-- 4. Settings: Restrict to admin-only (contains SMTP credentials!)
-- ═══════════════════════════════════════════════════════════════════════════════
DROP POLICY IF EXISTS "Allow authenticated read on settings" ON public.settings;
DROP POLICY IF EXISTS "Allow authenticated write on settings" ON public.settings;
CREATE POLICY "Admin read settings" ON public.settings FOR SELECT
USING ((SELECT role FROM public.users WHERE id = auth.uid()) = 'admin');
CREATE POLICY "Admin write settings" ON public.settings FOR ALL
USING ((SELECT role FROM public.users WHERE id = auth.uid()) = 'admin')
WITH CHECK ((SELECT role FROM public.users WHERE id = auth.uid()) = 'admin');
-- ═══════════════════════════════════════════════════════════════════════════════
-- 5. Companies: Remove USING(true) wildcard, service_role bypasses RLS anyway
-- ═══════════════════════════════════════════════════════════════════════════════
DROP POLICY IF EXISTS "Service role kann alles Unternehmen" ON public.companies;
DROP POLICY IF EXISTS "Service role kann alles Partner" ON public.partners;
-- Admin-only write access for companies
CREATE POLICY "Admin manage companies" ON public.companies FOR ALL
USING ((SELECT role FROM public.users WHERE id = auth.uid()) = 'admin')
WITH CHECK ((SELECT role FROM public.users WHERE id = auth.uid()) = 'admin');
-- Admin-only write access for partners
CREATE POLICY "Admin manage partners" ON public.partners FOR ALL
USING ((SELECT role FROM public.users WHERE id = auth.uid()) = 'admin')
WITH CHECK ((SELECT role FROM public.users WHERE id = auth.uid()) = 'admin');
-- ═══════════════════════════════════════════════════════════════════════════════
-- 6. Orders: Add INSERT policy with company_id check
-- ═══════════════════════════════════════════════════════════════════════════════
DROP POLICY IF EXISTS "Users can create their own orders" ON public.orders;
CREATE POLICY "Users can create their own orders" ON public.orders FOR INSERT
WITH CHECK (
auth.uid() = user_id
AND (
(SELECT role FROM public.users WHERE id = auth.uid()) = 'admin'
OR (SELECT company_id FROM public.users WHERE id = auth.uid()) IS NOT NULL
)
);
-- Reload Schema Cache
NOTIFY pgrst, 'reload schema';