Add migration to fix RLS recursion on team_memberships and tighten policies

cgen-7fa58d60c5f543ddb2cab2c3cb1f0b0f
2025-10-18 04:02:18 +00:00 · 2025-10-18 04:02:18 +00:00 · 3a6bf08804
commit 3a6bf08804
parent df2b52af71
1 changed files with 36 additions and 0 deletions
--- a/supabase/migrations/20251018_fix_team_memberships_rls.sql
+++ b/supabase/migrations/20251018_fix_team_memberships_rls.sql
@ -0,0 +1,36 @@
+-- Fix RLS recursion on team_memberships and define safe, non-recursive policies
+begin;
+
+-- Ensure RLS is enabled
+alter table public.team_memberships enable row level security;
+
+-- Drop problematic/overly broad policies if they exist
+drop policy if exists team_memberships_read on public.team_memberships;
+drop policy if exists team_memberships_manage_self on public.team_memberships;
+
+-- Allow users to read only their own membership rows
+create policy team_memberships_select_own on public.team_memberships
+for select
+to authenticated
+using (user_id = auth.uid());
+
+-- Allow users to create membership rows only for themselves
+create policy team_memberships_insert_self on public.team_memberships
+for insert
+to authenticated
+with check (user_id = auth.uid());
+
+-- Allow users to update only their own membership rows
+create policy team_memberships_update_self on public.team_memberships
+for update
+to authenticated
+using (user_id = auth.uid())
+with check (user_id = auth.uid());
+
+-- Allow users to delete only their own membership rows
+create policy team_memberships_delete_self on public.team_memberships
+for delete
+to authenticated
+using (user_id = auth.uid());
+
+commit;