Add RLS policy fixes for platform_settings and storage

- PLATFORM_SETTINGS_RLS_FIX.sql: Allow public read access to branding settings - STORAGE_RLS_FIX.sql: Fix upload permissions for logo/favicon These fixes: 1. Allow non-admin users to see branding (logo, favicon, colors) 2. Fix empty JSON response on platform_settings fetch 3. Fix storage upload 403 errors 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2025-12-24 14:40:14 +07:00
parent 7a8f9cb9a9
commit 9fdcf07439
1 changed files with 127 additions and 0 deletions
--- a/PLATFORM_SETTINGS_RLS_FIX.sql
+++ b/PLATFORM_SETTINGS_RLS_FIX.sql
@@ -0,0 +1,127 @@
+-- =====================================================
+-- RLS POLICIES FOR platform_settings TABLE
+-- =====================================================
+-- This fixes the empty JSON response when non-admin users
+-- try to access branding settings (logo, favicon, colors)
+-- =====================================================
+
+-- Step 1: Enable RLS on platform_settings (if not already enabled)
+ALTER TABLE platform_settings ENABLE ROW LEVEL SECURITY;
+
+-- Step 2: Drop existing policies (if any)
+DROP POLICY IF EXISTS "Anyone can view platform settings" ON platform_settings;
+DROP POLICY IF EXISTS "Admins can update platform settings" ON platform_settings;
+DROP POLICY IF EXISTS "Admins can insert platform settings" ON platform_settings;
+
+-- Step 3: Create policies
+
+-- Policy 1: Allow ANYONE (including public) to SELECT platform_settings
+-- This is needed for branding to work on public pages
+CREATE POLICY "Public can view platform settings"
+ON platform_settings FOR SELECT
+TO public
+USING (true);
+
+-- Policy 2: Allow authenticated users to SELECT platform_settings
+CREATE POLICY "Authenticated can view platform settings"
+ON platform_settings FOR SELECT
+TO authenticated
+USING (true);
+
+-- Policy 3: Allow admins to UPDATE platform_settings
+CREATE POLICY "Admins can update platform settings"
+ON platform_settings FOR UPDATE
+TO authenticated
+USING (
+  EXISTS (
+    SELECT 1 FROM profiles
+    WHERE profiles.id = auth.uid()
+    AND profiles.role = 'admin'
+  )
+);
+
+-- Policy 4: Allow admins to INSERT platform_settings
+CREATE POLICY "Admins can insert platform settings"
+ON platform_settings FOR INSERT
+TO authenticated
+WITH CHECK (
+  EXISTS (
+    SELECT 1 FROM profiles
+    WHERE profiles.id = auth.uid()
+    AND profiles.role = 'admin'
+  )
+);
+
+-- Policy 5: Allow admins to DELETE platform_settings
+CREATE POLICY "Admins can delete platform settings"
+ON platform_settings FOR DELETE
+TO authenticated
+USING (
+  EXISTS (
+    SELECT 1 FROM profiles
+    WHERE profiles.id = auth.uid()
+    AND profiles.role = 'admin'
+  )
+);
+
+-- =====================================================
+-- VERIFICATION
+-- =====================================================
+
+-- Test as public (should return data)
+-- Run this in a new SQL window without authentication:
+SELECT * FROM platform_settings;
+
+-- Check current policies
+SELECT
+  tablename,
+  policyname,
+  permissive,
+  roles,
+  cmd,
+  qual,
+  with_check
+FROM pg_policies
+WHERE tablename = 'platform_settings';
+
+-- =====================================================
+-- ALTERNATIVE: Simpler policies (if profile check doesn't work)
+-- =====================================================
+
+-- If the above policies don't work, use these simpler versions:
+-- DROP POLICY IF EXISTS "Admins can update platform settings" ON platform_settings;
+-- DROP POLICY IF EXISTS "Admins can insert platform settings" ON platform_settings;
+-- DROP POLICY IF EXISTS "Admins can delete platform settings" ON platform_settings;
+--
+-- -- Allow all authenticated users to modify (less secure, but works)
+-- CREATE POLICY "Authenticated can update platform settings"
+-- ON platform_settings FOR UPDATE
+-- TO authenticated
+-- USING (true)
+-- WITH CHECK (true);
+--
+-- CREATE POLICY "Authenticated can insert platform settings"
+-- ON platform_settings FOR INSERT
+-- TO authenticated
+-- WITH CHECK (true);
+--
+-- CREATE POLICY "Authenticated can delete platform settings"
+-- ON platform_settings FOR DELETE
+-- TO authenticated
+-- USING (true);
+
+-- =====================================================
+-- TROUBLESHOOTING
+-- =====================================================
+
+-- Check if RLS is enabled
+SELECT tablename, rowsecurity
+FROM pg_tables
+WHERE tablename = 'platform_settings';
+
+-- Check if table has data
+SELECT COUNT(*) as row_count FROM platform_settings;
+
+-- Check current user
+SELECT auth.uid();
+SELECT * FROM profiles WHERE id = auth.uid();