Skip to content

Add RLS policies to invitations table #1520

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Apr 30, 2025
+111 −0
Merged

Add RLS policies to invitations table #1520

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
a90994c
feat: add RLS policies to invitations table
devin-ai-integration[bot] Apr 25, 2025
1260960
fix: add proper type definitions to database.types.ts
devin-ai-integration[bot] Apr 25, 2025
06ff6c9
feat: add row-level security policies for invitations table
NoritakaIkeda Apr 28, 2025
8582888
Merge branch 'main' into devin/1745584435-add-rls-to-invitations-table
NoritakaIkeda Apr 30, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 45 additions & 0 deletions frontend/packages/db/schema/schema.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1324,6 +1324,12 @@ ALTER TABLE ONLY "public"."schema_file_paths"



CREATE POLICY "authenticated_users_can_delete_org_invitations" ON "public"."invitations" FOR DELETE TO "authenticated" USING (("organization_id" IN ( SELECT "organization_members"."organization_id"
FROM "public"."organization_members"
WHERE ("organization_members"."user_id" = "auth"."uid"()))));



CREATE POLICY "authenticated_users_can_delete_org_projects" ON "public"."projects" FOR DELETE TO "authenticated" USING (("organization_id" IN ( SELECT "organization_members"."organization_id"
FROM "public"."organization_members"
WHERE ("organization_members"."user_id" = "auth"."uid"()))));
Expand All @@ -1344,6 +1350,12 @@ COMMENT ON POLICY "authenticated_users_can_insert_org_doc_file_paths" ON "public



CREATE POLICY "authenticated_users_can_insert_org_invitations" ON "public"."invitations" FOR INSERT TO "authenticated" WITH CHECK (("organization_id" IN ( SELECT "organization_members"."organization_id"
FROM "public"."organization_members"
WHERE ("organization_members"."user_id" = "auth"."uid"()))));



CREATE POLICY "authenticated_users_can_insert_org_knowledge_suggestion_doc_map" ON "public"."knowledge_suggestion_doc_mappings" FOR INSERT TO "authenticated" WITH CHECK (("organization_id" IN ( SELECT "organization_members"."organization_id"
FROM "public"."organization_members"
WHERE ("organization_members"."user_id" = "auth"."uid"()))));
Expand Down Expand Up @@ -1414,6 +1426,12 @@ COMMENT ON POLICY "authenticated_users_can_select_org_github_pull_requests" ON "



CREATE POLICY "authenticated_users_can_select_org_invitations" ON "public"."invitations" FOR SELECT TO "authenticated" USING (("organization_id" IN ( SELECT "organization_members"."organization_id"
FROM "public"."organization_members"
WHERE ("organization_members"."user_id" = "auth"."uid"()))));



CREATE POLICY "authenticated_users_can_select_org_knowledge_suggestion_doc_map" ON "public"."knowledge_suggestion_doc_mappings" FOR SELECT TO "authenticated" USING (("organization_id" IN ( SELECT "organization_members"."organization_id"
FROM "public"."organization_members"
WHERE ("organization_members"."user_id" = "auth"."uid"()))));
Expand Down Expand Up @@ -1510,6 +1528,14 @@ COMMENT ON POLICY "authenticated_users_can_select_org_schema_file_paths" ON "pub



CREATE POLICY "authenticated_users_can_update_org_invitations" ON "public"."invitations" FOR UPDATE TO "authenticated" USING (("organization_id" IN ( SELECT "organization_members"."organization_id"
FROM "public"."organization_members"
WHERE ("organization_members"."user_id" = "auth"."uid"())))) WITH CHECK (("organization_id" IN ( SELECT "organization_members"."organization_id"
FROM "public"."organization_members"
WHERE ("organization_members"."user_id" = "auth"."uid"()))));



CREATE POLICY "authenticated_users_can_update_org_knowledge_suggestions" ON "public"."knowledge_suggestions" FOR UPDATE TO "authenticated" USING (("organization_id" IN ( SELECT "organization_members"."organization_id"
FROM "public"."organization_members"
WHERE ("organization_members"."user_id" = "auth"."uid"())))) WITH CHECK (("organization_id" IN ( SELECT "organization_members"."organization_id"
Expand Down Expand Up @@ -1555,6 +1581,9 @@ ALTER TABLE "public"."github_pull_request_comments" ENABLE ROW LEVEL SECURITY;
ALTER TABLE "public"."github_pull_requests" ENABLE ROW LEVEL SECURITY;


ALTER TABLE "public"."invitations" ENABLE ROW LEVEL SECURITY;


ALTER TABLE "public"."knowledge_suggestion_doc_mappings" ENABLE ROW LEVEL SECURITY;


Expand Down Expand Up @@ -1585,6 +1614,10 @@ ALTER TABLE "public"."review_feedback_knowledge_suggestion_mappings" ENABLE ROW
ALTER TABLE "public"."schema_file_paths" ENABLE ROW LEVEL SECURITY;


CREATE POLICY "service_role_can_delete_all_invitations" ON "public"."invitations" FOR DELETE TO "service_role" USING (true);



CREATE POLICY "service_role_can_delete_all_knowledge_suggestions" ON "public"."knowledge_suggestions" FOR DELETE TO "service_role" USING (true);


Expand All @@ -1605,6 +1638,10 @@ CREATE POLICY "service_role_can_insert_all_github_pull_requests" ON "public"."gi



CREATE POLICY "service_role_can_insert_all_invitations" ON "public"."invitations" FOR INSERT TO "service_role" WITH CHECK (true);



CREATE POLICY "service_role_can_insert_all_knowledge_suggestion_doc_mappings" ON "public"."knowledge_suggestion_doc_mappings" FOR INSERT TO "service_role" WITH CHECK (true);


Expand Down Expand Up @@ -1653,6 +1690,10 @@ CREATE POLICY "service_role_can_select_all_github_pull_requests" ON "public"."gi



CREATE POLICY "service_role_can_select_all_invitations" ON "public"."invitations" FOR SELECT TO "service_role" USING (true);



CREATE POLICY "service_role_can_select_all_knowledge_suggestions" ON "public"."knowledge_suggestions" FOR SELECT TO "service_role" USING (true);


Expand Down Expand Up @@ -1689,6 +1730,10 @@ CREATE POLICY "service_role_can_select_all_schema_file_paths" ON "public"."schem



CREATE POLICY "service_role_can_update_all_invitations" ON "public"."invitations" FOR UPDATE TO "service_role" USING (true) WITH CHECK (true);



CREATE POLICY "service_role_can_update_all_knowledge_suggestions" ON "public"."knowledge_suggestions" FOR UPDATE TO "service_role" USING (true) WITH CHECK (true);


Expand Down
66 changes: 66 additions & 0 deletions frontend/packages/db/supabase/migrations/20250425123413_add_rls_to_invitations.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
-- Enable RLS for invitations table
ALTER TABLE "public"."invitations" ENABLE ROW LEVEL SECURITY;

-- Policies for authenticated users
CREATE POLICY "authenticated_users_can_select_org_invitations"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • Authenticated users can view, create, update, and delete invitations only within organizations they are members of.
  • Service role can fully manage invitations without restriction.
    Currently, broader permissions are granted because full feature implementation is still in progress.
    If you're curious where this table is used, try grepping for .from('invitations') in the codebase.

ON "public"."invitations"
FOR SELECT TO "authenticated"
USING (("organization_id" IN (
SELECT "organization_members"."organization_id"
FROM "public"."organization_members"
WHERE "organization_members"."user_id" = "auth"."uid"()
)));

CREATE POLICY "authenticated_users_can_insert_org_invitations"
ON "public"."invitations"
FOR INSERT TO "authenticated"
WITH CHECK (("organization_id" IN (
SELECT "organization_members"."organization_id"
FROM "public"."organization_members"
WHERE "organization_members"."user_id" = "auth"."uid"()
)));

CREATE POLICY "authenticated_users_can_update_org_invitations"
ON "public"."invitations"
FOR UPDATE TO "authenticated"
USING (("organization_id" IN (
SELECT "organization_members"."organization_id"
FROM "public"."organization_members"
WHERE "organization_members"."user_id" = "auth"."uid"()
)))
WITH CHECK (("organization_id" IN (
SELECT "organization_members"."organization_id"
FROM "public"."organization_members"
WHERE "organization_members"."user_id" = "auth"."uid"()
)));

CREATE POLICY "authenticated_users_can_delete_org_invitations"
ON "public"."invitations"
FOR DELETE TO "authenticated"
USING (("organization_id" IN (
SELECT "organization_members"."organization_id"
FROM "public"."organization_members"
WHERE "organization_members"."user_id" = "auth"."uid"()
)));

-- Policies for service_role
CREATE POLICY "service_role_can_select_all_invitations"
ON "public"."invitations"
FOR SELECT TO "service_role"
USING (true);

CREATE POLICY "service_role_can_insert_all_invitations"
ON "public"."invitations"
FOR INSERT TO "service_role"
WITH CHECK (true);

CREATE POLICY "service_role_can_update_all_invitations"
ON "public"."invitations"
FOR UPDATE TO "service_role"
USING (true)
WITH CHECK (true);

CREATE POLICY "service_role_can_delete_all_invitations"
ON "public"."invitations"
FOR DELETE TO "service_role"
USING (true);
Loading