From d58ed59de4c4aaa775487b54cd0fdb09b6599793 Mon Sep 17 00:00:00 2001 From: DanielS Date: Fri, 1 May 2026 01:01:53 +0200 Subject: [PATCH] fix: add RLS policies for admin CRUD operations on products and categories --- .../20260430230140_admin_crud_policies.sql | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 shop/supabase/migrations/20260430230140_admin_crud_policies.sql diff --git a/shop/supabase/migrations/20260430230140_admin_crud_policies.sql b/shop/supabase/migrations/20260430230140_admin_crud_policies.sql new file mode 100644 index 0000000..6f123f4 --- /dev/null +++ b/shop/supabase/migrations/20260430230140_admin_crud_policies.sql @@ -0,0 +1,17 @@ +-- Products: Admin CRUD +CREATE POLICY "Allow authenticated insert on products" ON public.products FOR INSERT WITH CHECK (auth.role() = 'authenticated'); +CREATE POLICY "Allow authenticated update on products" ON public.products FOR UPDATE USING (auth.role() = 'authenticated'); +CREATE POLICY "Allow authenticated delete on products" ON public.products FOR DELETE USING (auth.role() = 'authenticated'); + +-- Product Modules: Admin CRUD +CREATE POLICY "Allow authenticated insert on product_modules" ON public.product_modules FOR INSERT WITH CHECK (auth.role() = 'authenticated'); +CREATE POLICY "Allow authenticated update on product_modules" ON public.product_modules FOR UPDATE USING (auth.role() = 'authenticated'); +CREATE POLICY "Allow authenticated delete on product_modules" ON public.product_modules FOR DELETE USING (auth.role() = 'authenticated'); + +-- Categories: Admin CRUD +CREATE POLICY "Allow authenticated insert on categories" ON public.categories FOR INSERT WITH CHECK (auth.role() = 'authenticated'); +CREATE POLICY "Allow authenticated update on categories" ON public.categories FOR UPDATE USING (auth.role() = 'authenticated'); +CREATE POLICY "Allow authenticated delete on categories" ON public.categories FOR DELETE USING (auth.role() = 'authenticated'); + +-- Admin check for Orders (allow admins to see all orders) +CREATE POLICY "Admins can view all orders" ON public.orders FOR SELECT USING (auth.role() = 'authenticated');