diff --git a/PLATFORM_SETTINGS_RLS_FIX.sql b/PLATFORM_SETTINGS_RLS_FIX.sql new file mode 100644 index 0000000..4c7d3a7 --- /dev/null +++ b/PLATFORM_SETTINGS_RLS_FIX.sql @@ -0,0 +1,127 @@ +-- ===================================================== +-- RLS POLICIES FOR platform_settings TABLE +-- ===================================================== +-- This fixes the empty JSON response when non-admin users +-- try to access branding settings (logo, favicon, colors) +-- ===================================================== + +-- Step 1: Enable RLS on platform_settings (if not already enabled) +ALTER TABLE platform_settings ENABLE ROW LEVEL SECURITY; + +-- Step 2: Drop existing policies (if any) +DROP POLICY IF EXISTS "Anyone can view platform settings" ON platform_settings; +DROP POLICY IF EXISTS "Admins can update platform settings" ON platform_settings; +DROP POLICY IF EXISTS "Admins can insert platform settings" ON platform_settings; + +-- Step 3: Create policies + +-- Policy 1: Allow ANYONE (including public) to SELECT platform_settings +-- This is needed for branding to work on public pages +CREATE POLICY "Public can view platform settings" +ON platform_settings FOR SELECT +TO public +USING (true); + +-- Policy 2: Allow authenticated users to SELECT platform_settings +CREATE POLICY "Authenticated can view platform settings" +ON platform_settings FOR SELECT +TO authenticated +USING (true); + +-- Policy 3: Allow admins to UPDATE platform_settings +CREATE POLICY "Admins can update platform settings" +ON platform_settings FOR UPDATE +TO authenticated +USING ( + EXISTS ( + SELECT 1 FROM profiles + WHERE profiles.id = auth.uid() + AND profiles.role = 'admin' + ) +); + +-- Policy 4: Allow admins to INSERT platform_settings +CREATE POLICY "Admins can insert platform settings" +ON platform_settings FOR INSERT +TO authenticated +WITH CHECK ( + EXISTS ( + SELECT 1 FROM profiles + WHERE profiles.id = auth.uid() + AND profiles.role = 'admin' + ) +); + +-- Policy 5: Allow admins to DELETE platform_settings +CREATE POLICY "Admins can delete platform settings" +ON platform_settings FOR DELETE +TO authenticated +USING ( + EXISTS ( + SELECT 1 FROM profiles + WHERE profiles.id = auth.uid() + AND profiles.role = 'admin' + ) +); + +-- ===================================================== +-- VERIFICATION +-- ===================================================== + +-- Test as public (should return data) +-- Run this in a new SQL window without authentication: +SELECT * FROM platform_settings; + +-- Check current policies +SELECT + tablename, + policyname, + permissive, + roles, + cmd, + qual, + with_check +FROM pg_policies +WHERE tablename = 'platform_settings'; + +-- ===================================================== +-- ALTERNATIVE: Simpler policies (if profile check doesn't work) +-- ===================================================== + +-- If the above policies don't work, use these simpler versions: +-- DROP POLICY IF EXISTS "Admins can update platform settings" ON platform_settings; +-- DROP POLICY IF EXISTS "Admins can insert platform settings" ON platform_settings; +-- DROP POLICY IF EXISTS "Admins can delete platform settings" ON platform_settings; +-- +-- -- Allow all authenticated users to modify (less secure, but works) +-- CREATE POLICY "Authenticated can update platform settings" +-- ON platform_settings FOR UPDATE +-- TO authenticated +-- USING (true) +-- WITH CHECK (true); +-- +-- CREATE POLICY "Authenticated can insert platform settings" +-- ON platform_settings FOR INSERT +-- TO authenticated +-- WITH CHECK (true); +-- +-- CREATE POLICY "Authenticated can delete platform settings" +-- ON platform_settings FOR DELETE +-- TO authenticated +-- USING (true); + +-- ===================================================== +-- TROUBLESHOOTING +-- ===================================================== + +-- Check if RLS is enabled +SELECT tablename, rowsecurity +FROM pg_tables +WHERE tablename = 'platform_settings'; + +-- Check if table has data +SELECT COUNT(*) as row_count FROM platform_settings; + +-- Check current user +SELECT auth.uid(); +SELECT * FROM profiles WHERE id = auth.uid();