Skip to content

fix(supabase): enable RLS on communication account tables (fixes #69) #70

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ralyodio merged 1 commit into from
Jun 14, 2026
+79 −0
Merged

fix(supabase): enable RLS on communication account tables (fixes #69) #70

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
79 changes: 79 additions & 0 deletions supabase/migrations/20260614010000_communication_accounts_rls.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
-- Enable Row Level Security on communication account tables
-- These tables were created without RLS in 20260609010000_communication_accounts.sql

ALTER TABLE connected_accounts ENABLE ROW LEVEL SECURITY;
ALTER TABLE account_permission_grants ENABLE ROW LEVEL SECURITY;
ALTER TABLE account_audit_events ENABLE ROW LEVEL SECURITY;
ALTER TABLE email_message_cache ENABLE ROW LEVEL SECURITY;
ALTER TABLE social_post_cache ENABLE ROW LEVEL SECURITY;

-- connected_accounts: users can only access their own accounts
CREATE POLICY "Users can view own connected accounts"
ON connected_accounts FOR SELECT
USING (auth.uid() = owner_user_id);

CREATE POLICY "Users can insert own connected accounts"
ON connected_accounts FOR INSERT
WITH CHECK (auth.uid() = owner_user_id);

CREATE POLICY "Users can update own connected accounts"
ON connected_accounts FOR UPDATE
USING (auth.uid() = owner_user_id);

CREATE POLICY "Users can delete own connected accounts"
ON connected_accounts FOR DELETE
USING (auth.uid() = owner_user_id);

-- account_permission_grants: access through connected_accounts ownership
CREATE POLICY "Users can view grants for own accounts"
ON account_permission_grants FOR SELECT
USING (
EXISTS (
SELECT 1 FROM connected_accounts
WHERE connected_accounts.id = account_permission_grants.account_id
AND connected_accounts.owner_user_id = auth.uid()
)
);

CREATE POLICY "Users can manage grants for own accounts"
ON account_permission_grants FOR ALL
USING (
EXISTS (
SELECT 1 FROM connected_accounts
WHERE connected_accounts.id = account_permission_grants.account_id
AND connected_accounts.owner_user_id = auth.uid()
)
);

-- account_audit_events: read-only access through connected_accounts ownership
CREATE POLICY "Users can view audit events for own accounts"
ON account_audit_events FOR SELECT
USING (
EXISTS (
SELECT 1 FROM connected_accounts
WHERE connected_accounts.id = account_audit_events.account_id
AND connected_accounts.owner_user_id = auth.uid()
)
);

-- email_message_cache: access through connected_accounts ownership
CREATE POLICY "Users can view emails for own accounts"
ON email_message_cache FOR SELECT
USING (
EXISTS (
SELECT 1 FROM connected_accounts
WHERE connected_accounts.id = email_message_cache.account_id
AND connected_accounts.owner_user_id = auth.uid()
)
);

-- social_post_cache: access through connected_accounts ownership
CREATE POLICY "Users can view posts for own accounts"
ON social_post_cache FOR SELECT
USING (
EXISTS (
SELECT 1 FROM connected_accounts
WHERE connected_accounts.id = social_post_cache.account_id
AND connected_accounts.owner_user_id = auth.uid()
)
);
Loading