- SQL 010: tablas user_groups y group_memberships con RLS - SQL 011: tabla process_access para acceso explícito a procesos - SQL 012: función is_platform_admin() + políticas granulares (select/insert/update/delete) en processes - types.ts: Process.ownerId (requerido) - process-repo: fromRow mapea owner_id→ownerId; toRow preserva ownerId en updates; setShared() no-op documentado - ImportPage: asigna ownerId: user.id al crear proceso - LibraryPage: toggle Todos/Míos, OwnershipBadge (🔒/👤) en cada tarjeta, opción "Compartir con equipo" en menú de proceso propio con toast de confirmación - Tests: ownerId: 'test-user' agregado a todos los fixtures de Process Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
54 lines
1.6 KiB
PL/PgSQL
54 lines
1.6 KiB
PL/PgSQL
-- Helper: retorna true si el usuario actual es platform_admin
|
|
CREATE OR REPLACE FUNCTION public.is_platform_admin()
|
|
RETURNS boolean
|
|
LANGUAGE sql SECURITY DEFINER
|
|
AS $$
|
|
SELECT EXISTS (
|
|
SELECT 1 FROM public.users
|
|
WHERE id = auth.uid() AND platform_role = 'platform_admin'
|
|
);
|
|
$$;
|
|
|
|
-- Eliminar política amplia de Sprint 4 Etapa 2
|
|
DROP POLICY IF EXISTS "authenticated_all_processes" ON public.processes;
|
|
|
|
-- Políticas granulares
|
|
CREATE POLICY "select_processes" ON public.processes
|
|
FOR SELECT USING (
|
|
public.is_platform_admin()
|
|
OR owner_id = auth.uid()
|
|
OR EXISTS (
|
|
SELECT 1 FROM public.process_access
|
|
WHERE process_id = processes.id
|
|
AND (
|
|
(grantee_type = 'user' AND grantee_id = auth.uid())
|
|
OR (grantee_type = 'group' AND grantee_id IN (
|
|
SELECT group_id FROM public.group_memberships WHERE user_id = auth.uid()
|
|
))
|
|
)
|
|
)
|
|
);
|
|
|
|
CREATE POLICY "insert_processes" ON public.processes
|
|
FOR INSERT WITH CHECK (auth.uid() IS NOT NULL);
|
|
|
|
CREATE POLICY "update_processes" ON public.processes
|
|
FOR UPDATE USING (
|
|
public.is_platform_admin()
|
|
OR owner_id = auth.uid()
|
|
OR EXISTS (
|
|
SELECT 1 FROM public.process_access
|
|
WHERE process_id = processes.id
|
|
AND permission = 'edit'
|
|
AND (
|
|
(grantee_type = 'user' AND grantee_id = auth.uid())
|
|
OR (grantee_type = 'group' AND grantee_id IN (
|
|
SELECT group_id FROM public.group_memberships WHERE user_id = auth.uid()
|
|
))
|
|
)
|
|
)
|
|
);
|
|
|
|
CREATE POLICY "delete_processes" ON public.processes
|
|
FOR DELETE USING (public.is_platform_admin() OR owner_id = auth.uid());
|