From 3a6bf0880454f458e011797ac0635215cf0d6a8c Mon Sep 17 00:00:00 2001
From: "Builder.io" <builder-bot@builder.io>
Date: Sat, 18 Oct 2025 04:02:18 +0000
Subject: [PATCH] Add migration to fix RLS recursion on team_memberships and
 tighten policies

cgen-7fa58d60c5f543ddb2cab2c3cb1f0b0f
---
 .../20251018_fix_team_memberships_rls.sql     | 36 +++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100644 supabase/migrations/20251018_fix_team_memberships_rls.sql

diff --git a/supabase/migrations/20251018_fix_team_memberships_rls.sql b/supabase/migrations/20251018_fix_team_memberships_rls.sql
new file mode 100644
index 00000000..9e29f08a
--- /dev/null
+++ b/supabase/migrations/20251018_fix_team_memberships_rls.sql
@@ -0,0 +1,36 @@
+-- Fix RLS recursion on team_memberships and define safe, non-recursive policies
+begin;
+
+-- Ensure RLS is enabled
+alter table public.team_memberships enable row level security;
+
+-- Drop problematic/overly broad policies if they exist
+drop policy if exists team_memberships_read on public.team_memberships;
+drop policy if exists team_memberships_manage_self on public.team_memberships;
+
+-- Allow users to read only their own membership rows
+create policy team_memberships_select_own on public.team_memberships
+for select
+to authenticated
+using (user_id = auth.uid());
+
+-- Allow users to create membership rows only for themselves
+create policy team_memberships_insert_self on public.team_memberships
+for insert
+to authenticated
+with check (user_id = auth.uid());
+
+-- Allow users to update only their own membership rows
+create policy team_memberships_update_self on public.team_memberships
+for update
+to authenticated
+using (user_id = auth.uid())
+with check (user_id = auth.uid());
+
+-- Allow users to delete only their own membership rows
+create policy team_memberships_delete_self on public.team_memberships
+for delete
+to authenticated
+using (user_id = auth.uid());
+
+commit;