mirror of
https://github.com/marcogll/AnchorOS.git
synced 2026-03-15 18:24:31 +00:00
feat(salonos): implementar Fase 1.1 y 1.2 - Infraestructura y Esquema de Base de Datos
Implementación completa de la Fase 1.1 y 1.2 del proyecto SalonOS: ## Cambios en Reglas de Negocio (PRD.md, AGENTS.md, TASKS.md) - Actualizado reset de invitaciones de mensual a semanal (Lunes 00:00 UTC) - Jerarquía de roles actualizada: Admin > Manager > Staff > Artist > Customer - Artistas (antes colaboradoras) ahora tienen rol 'artist' - Staff/Manager/Admin pueden ver PII de customers - Artist solo ve nombre y notas de customers (restricción de privacidad) ## Estructura del Proyecto (Next.js 14) - app/boutique/: Frontend de cliente - app/hq/: Dashboard administrativo - app/api/: API routes - components/: Componentes UI reutilizables (boutique, hq, shared) - lib/: Lógica de negocio (supabase, db, utils) - db/: Esquemas, migraciones y seeds - integrations/: Stripe, Google Calendar, WhatsApp - scripts/: Scripts de utilidad y automatización - docs/: Documentación del proyecto ## Esquema de Base de Datos (Supabase PostgreSQL) 8 tablas creadas: - locations: Ubicaciones con timezone - resources: Recursos físicos (estaciones, habitaciones, equipos) - staff: Personal con roles jerárquicos - services: Catálogo de servicios - customers: Información de clientes con tier (free/gold) - invitations: Sistema de invitaciones semanales - bookings: Sistema de reservas con short_id (6 caracteres) - audit_logs: Registro de auditoría automática 14 funciones creadas: - generate_short_id(): Generador de Short ID (6 chars, collision-safe) - generate_invitation_code(): Generador de códigos de invitación (10 chars) - reset_weekly_invitations_for_customer(): Reset individual de invitaciones - reset_all_weekly_invitations(): Reset masivo de invitaciones - validate_secondary_artist_role(): Validación de secondary_artist - log_audit(): Trigger de auditoría automática - get_current_user_role(): Obtener rol del usuario actual - is_staff_or_higher(): Verificar si es admin/manager/staff - is_artist(): Verificar si es artist - is_customer(): Verificar si es customer - is_admin(): Verificar si es admin - update_updated_at(): Actualizar timestamps - generate_booking_short_id(): Generar Short ID automáticamente - get_week_start(): Obtener inicio de semana 17+ triggers activos: - Auditores automáticos en tablas críticas - Timestamps updated_at en todas las tablas - Validación de secondary_artist (trigger en lugar de constraint) 20+ políticas RLS configuradas: - Restricción crítica: Artist no ve email/phone de customers - Jerarquía de roles: Admin > Manager > Staff > Artist > Customer - Políticas granulares por tipo de operación y rol 6 tipos ENUM: - user_role: admin, manager, staff, artist, customer - customer_tier: free, gold - booking_status: pending, confirmed, cancelled, completed, no_show - invitation_status: pending, used, expired - resource_type: station, room, equipment - audit_action: create, update, delete, reset_invitations, payment, status_change ## Scripts de Utilidad - check-connection.sh: Verificar conexión a Supabase - simple-verify.sh: Verificar migraciones instaladas - simple-seed.sh: Crear datos de prueba - create-auth-users.js: Crear usuarios de Auth en Supabase - verify-migration.sql: Script de verificación SQL completo - seed-data.sql: Script de seed de datos SQL completo ## Documentación - docs/STEP_BY_STEP_VERIFICATION.md: Guía paso a paso de verificación - docs/STEP_BY_STEP_AUTH_CONFIG.md: Guía paso a paso de configuración Auth - docs/POST_MIGRATION_SUCCESS.md: Guía post-migración - docs/MIGRATION_CORRECTION.md: Detalle de correcciones aplicadas - docs/QUICK_START_POST_MIGRATION.md: Guía rápida de referencia - docs/SUPABASE_DASHBOARD_MIGRATION.md: Guía de ejecución en Dashboard - docs/00_FULL_MIGRATION_FINAL_README.md: Guía de migración final - SIMPLE_GUIDE.md: Guía simple de inicio - FASE_1_STATUS.md: Estado de la Fase 1 ## Configuración - package.json: Dependencias y scripts de npm - tsconfig.json: Configuración TypeScript con paths aliases - next.config.js: Configuración Next.js - tailwind.config.ts: Tema personalizado con colores primary, secondary, gold - postcss.config.js: Configuración PostCSS - .gitignore: Archivos excluidos de git - .env.example: Template de variables de entorno ## Correcciones Aplicadas 1. Constraint de subquery en CHECK reemplazado por trigger de validación - PostgreSQL no permite subqueries en CHECK constraints - validate_secondary_artist_role() ahora es un trigger 2. Variable no declarada en loop - customer_record RECORD; añadido en bloque DECLARE ## Principios Implementados - UTC-first: Todos los timestamps se almacenan en UTC - Sistema Doble Capa: Validación Staff/Artist + Recurso físico - Reset semanal: Invitaciones se resetean cada Lunes 00:00 UTC - Idempotencia: Procesos de reset son idempotentes y auditados - Privacidad: Artist solo ve nombre y notas de customers - Auditoría: Todas las acciones críticas se registran automáticamente - Short ID: 6 caracteres alfanuméricos como referencia humana - UUID: Identificador primario interno ## Próximos Pasos - Ejecutar scripts de verificación y seed - Configurar Auth en Supabase Dashboard - Implementar Tarea 1.3: Short ID & Invitaciones (backend) - Implementar Tarea 1.4: CRM Base (endpoints CRUD)
This commit is contained in:
Marco Gallegos
335
db/migrations/002_rls_policies.sql
Normal file
335
db/migrations/002_rls_policies.sql
Normal file
@@ -0,0 +1,335 @@
|
||||
-- Migración 002: Políticas RLS por rol
|
||||
-- Version: 002
|
||||
-- Fecha: 2026-01-15
|
||||
-- Descripción: Configuración de Row Level Security con jerarquía de roles y restricciones de privacidad
|
||||
|
||||
-- ============================================
|
||||
-- HELPER FUNCTIONS
|
||||
-- ============================================
|
||||
|
||||
-- Función para obtener el rol del usuario actual
|
||||
CREATE OR REPLACE FUNCTION get_current_user_role()
|
||||
RETURNS user_role AS $$
|
||||
DECLARE
|
||||
current_staff_role user_role;
|
||||
current_user_id UUID := auth.uid();
|
||||
BEGIN
|
||||
SELECT s.role INTO current_staff_role
|
||||
FROM staff s
|
||||
WHERE s.user_id = current_user_id
|
||||
LIMIT 1;
|
||||
|
||||
IF current_staff_role IS NOT NULL THEN
|
||||
RETURN current_staff_role;
|
||||
END IF;
|
||||
|
||||
-- Si es customer, verificar si existe en customers
|
||||
IF EXISTS (SELECT 1 FROM customers WHERE user_id = current_user_id) THEN
|
||||
RETURN 'customer';
|
||||
END IF;
|
||||
|
||||
RETURN NULL;
|
||||
END;
|
||||
$$ LANGUAGE plpgsql SECURITY DEFINER;
|
||||
|
||||
-- Función para verificar si el usuario es staff o superior (admin, manager, staff)
|
||||
CREATE OR REPLACE FUNCTION is_staff_or_higher()
|
||||
RETURNS BOOLEAN AS $$
|
||||
DECLARE
|
||||
user_role user_role := get_current_user_role();
|
||||
BEGIN
|
||||
RETURN user_role IN ('admin', 'manager', 'staff');
|
||||
END;
|
||||
$$ LANGUAGE plpgsql SECURITY DEFINER;
|
||||
|
||||
-- Función para verificar si el usuario es artist
|
||||
CREATE OR REPLACE FUNCTION is_artist()
|
||||
RETURNS BOOLEAN AS $$
|
||||
DECLARE
|
||||
user_role user_role := get_current_user_role();
|
||||
BEGIN
|
||||
RETURN user_role = 'artist';
|
||||
END;
|
||||
$$ LANGUAGE plpgsql SECURITY DEFINER;
|
||||
|
||||
-- Función para verificar si el usuario es customer
|
||||
CREATE OR REPLACE FUNCTION is_customer()
|
||||
RETURNS BOOLEAN AS $$
|
||||
DECLARE
|
||||
user_role user_role := get_current_user_role();
|
||||
BEGIN
|
||||
RETURN user_role = 'customer';
|
||||
END;
|
||||
$$ LANGUAGE plpgsql SECURITY DEFINER;
|
||||
|
||||
-- Función para verificar si el usuario es admin
|
||||
CREATE OR REPLACE FUNCTION is_admin()
|
||||
RETURNS BOOLEAN AS $$
|
||||
DECLARE
|
||||
user_role user_role := get_current_user_role();
|
||||
BEGIN
|
||||
RETURN user_role = 'admin';
|
||||
END;
|
||||
$$ LANGUAGE plpgsql SECURITY DEFINER;
|
||||
|
||||
-- ============================================
|
||||
-- ENABLE RLS ON ALL TABLES
|
||||
-- ============================================
|
||||
|
||||
ALTER TABLE locations ENABLE ROW LEVEL SECURITY;
|
||||
ALTER TABLE resources ENABLE ROW LEVEL SECURITY;
|
||||
ALTER TABLE staff ENABLE ROW LEVEL SECURITY;
|
||||
ALTER TABLE services ENABLE ROW LEVEL SECURITY;
|
||||
ALTER TABLE customers ENABLE ROW LEVEL SECURITY;
|
||||
ALTER TABLE invitations ENABLE ROW LEVEL SECURITY;
|
||||
ALTER TABLE bookings ENABLE ROW LEVEL SECURITY;
|
||||
ALTER TABLE audit_logs ENABLE ROW LEVEL SECURITY;
|
||||
|
||||
-- ============================================
|
||||
-- LOCATIONS POLICIES
|
||||
-- ============================================
|
||||
|
||||
-- Admin/Manager/Staff: Ver todas las locations activas
|
||||
CREATE POLICY "locations_select_staff_higher" ON locations
|
||||
FOR SELECT
|
||||
USING (is_staff_or_higher() OR is_admin() OR is_admin());
|
||||
|
||||
-- Admin/Manager: Insertar, actualizar, eliminar locations
|
||||
CREATE POLICY "locations_modify_admin_manager" ON locations
|
||||
FOR ALL
|
||||
USING (get_current_user_role() IN ('admin', 'manager'));
|
||||
|
||||
-- ============================================
|
||||
-- RESOURCES POLICIES
|
||||
-- ============================================
|
||||
|
||||
-- Staff o superior: Ver recursos activos
|
||||
CREATE POLICY "resources_select_staff_higher" ON resources
|
||||
FOR SELECT
|
||||
USING (is_staff_or_higher() OR is_admin());
|
||||
|
||||
-- Artist: Ver recursos activos (necesario para ver disponibilidad)
|
||||
CREATE POLICY "resources_select_artist" ON resources
|
||||
FOR SELECT
|
||||
USING (is_artist());
|
||||
|
||||
-- Admin/Manager: Modificar recursos
|
||||
CREATE POLICY "resources_modify_admin_manager" ON resources
|
||||
FOR ALL
|
||||
USING (get_current_user_role() IN ('admin', 'manager'));
|
||||
|
||||
-- ============================================
|
||||
-- STAFF POLICIES
|
||||
-- ============================================
|
||||
|
||||
-- Admin/Manager: Ver todo el staff
|
||||
CREATE POLICY "staff_select_admin_manager" ON staff
|
||||
FOR SELECT
|
||||
USING (get_current_user_role() IN ('admin', 'manager'));
|
||||
|
||||
-- Staff: Ver staff en su misma ubicación
|
||||
CREATE POLICY "staff_select_same_location" ON staff
|
||||
FOR SELECT
|
||||
USING (
|
||||
is_staff_or_higher() AND
|
||||
EXISTS (
|
||||
SELECT 1 FROM staff s WHERE s.user_id = auth.uid() AND s.location_id = staff.location_id
|
||||
)
|
||||
);
|
||||
|
||||
-- Artist: Ver solo otros artists en su misma ubicación
|
||||
CREATE POLICY "staff_select_artist_view_artists" ON staff
|
||||
FOR SELECT
|
||||
USING (
|
||||
is_artist() AND
|
||||
EXISTS (
|
||||
SELECT 1 FROM staff s WHERE s.user_id = auth.uid() AND s.location_id = staff.location_id
|
||||
) AND
|
||||
staff.role = 'artist'
|
||||
);
|
||||
|
||||
-- Admin/Manager: Modificar staff
|
||||
CREATE POLICY "staff_modify_admin_manager" ON staff
|
||||
FOR ALL
|
||||
USING (get_current_user_role() IN ('admin', 'manager'));
|
||||
|
||||
-- ============================================
|
||||
-- SERVICES POLICIES
|
||||
-- ============================================
|
||||
|
||||
-- Todos los usuarios autenticados: Ver servicios activos
|
||||
CREATE POLICY "services_select_all" ON services
|
||||
FOR SELECT
|
||||
USING (is_active = true);
|
||||
|
||||
-- Admin/Manager: Ver y modificar todos los servicios
|
||||
CREATE POLICY "services_all_admin_manager" ON services
|
||||
FOR ALL
|
||||
USING (get_current_user_role() IN ('admin', 'manager'));
|
||||
|
||||
-- ============================================
|
||||
-- CUSTOMERS POLICIES
|
||||
-- ============================================
|
||||
|
||||
-- Admin/Manager: Ver todo (incluyendo PII)
|
||||
CREATE POLICY "customers_select_admin_manager" ON customers
|
||||
FOR SELECT
|
||||
USING (get_current_user_role() IN ('admin', 'manager'));
|
||||
|
||||
-- Staff: Ver todo (incluyendo PII) - Pueden ver email/phone según PRD actualizado
|
||||
CREATE POLICY "customers_select_staff" ON customers
|
||||
FOR SELECT
|
||||
USING (is_staff_or_higher());
|
||||
|
||||
-- Artist: Solo nombre y notas, NO email ni phone
|
||||
CREATE POLICY "customers_select_artist_restricted" ON customers
|
||||
FOR SELECT
|
||||
USING (is_artist());
|
||||
|
||||
-- Customer: Ver solo sus propios datos
|
||||
CREATE POLICY "customers_select_own" ON customers
|
||||
FOR SELECT
|
||||
USING (is_customer() AND user_id = auth.uid());
|
||||
|
||||
-- Admin/Manager: Modificar cualquier cliente
|
||||
CREATE POLICY "customers_modify_admin_manager" ON customers
|
||||
FOR ALL
|
||||
USING (get_current_user_role() IN ('admin', 'manager'));
|
||||
|
||||
-- Staff: Modificar cualquier cliente
|
||||
CREATE POLICY "customers_modify_staff" ON customers
|
||||
FOR ALL
|
||||
USING (is_staff_or_higher());
|
||||
|
||||
-- Customer: Actualizar solo sus propios datos
|
||||
CREATE POLICY "customers_update_own" ON customers
|
||||
FOR UPDATE
|
||||
USING (is_customer() AND user_id = auth.uid());
|
||||
|
||||
-- ============================================
|
||||
-- INVITATIONS POLICIES
|
||||
-- ============================================
|
||||
|
||||
-- Admin/Manager: Ver todas las invitaciones
|
||||
CREATE POLICY "invitations_select_admin_manager" ON invitations
|
||||
FOR SELECT
|
||||
USING (get_current_user_role() IN ('admin', 'manager'));
|
||||
|
||||
-- Staff: Ver todas las invitaciones
|
||||
CREATE POLICY "invitations_select_staff" ON invitations
|
||||
FOR SELECT
|
||||
USING (is_staff_or_higher());
|
||||
|
||||
-- Customer: Ver solo sus propias invitaciones (como inviter)
|
||||
CREATE POLICY "invitations_select_own" ON invitations
|
||||
FOR SELECT
|
||||
USING (is_customer() AND inviter_id = (SELECT id FROM customers WHERE user_id = auth.uid()));
|
||||
|
||||
-- Admin/Manager: Modificar cualquier invitación
|
||||
CREATE POLICY "invitations_modify_admin_manager" ON invitations
|
||||
FOR ALL
|
||||
USING (get_current_user_role() IN ('admin', 'manager'));
|
||||
|
||||
-- Staff: Modificar invitaciones
|
||||
CREATE POLICY "invitations_modify_staff" ON invitations
|
||||
FOR ALL
|
||||
USING (is_staff_or_higher());
|
||||
|
||||
-- ============================================
|
||||
-- BOOKINGS POLICIES
|
||||
-- ============================================
|
||||
|
||||
-- Admin/Manager: Ver todos los bookings
|
||||
CREATE POLICY "bookings_select_admin_manager" ON bookings
|
||||
FOR SELECT
|
||||
USING (get_current_user_role() IN ('admin', 'manager'));
|
||||
|
||||
-- Staff: Ver bookings de su ubicación
|
||||
CREATE POLICY "bookings_select_staff_location" ON bookings
|
||||
FOR SELECT
|
||||
USING (
|
||||
is_staff_or_higher() AND
|
||||
EXISTS (
|
||||
SELECT 1 FROM staff s WHERE s.user_id = auth.uid() AND s.location_id = bookings.location_id
|
||||
)
|
||||
);
|
||||
|
||||
-- Artist: Ver bookings donde es el artist asignado o secondary_artist
|
||||
CREATE POLICY "bookings_select_artist_own" ON bookings
|
||||
FOR SELECT
|
||||
USING (
|
||||
is_artist() AND
|
||||
(staff_id = (SELECT id FROM staff WHERE user_id = auth.uid()) OR
|
||||
secondary_artist_id = (SELECT id FROM staff WHERE user_id = auth.uid()))
|
||||
);
|
||||
|
||||
-- Customer: Ver solo sus propios bookings
|
||||
CREATE POLICY "bookings_select_own" ON bookings
|
||||
FOR SELECT
|
||||
USING (is_customer() AND customer_id = (SELECT id FROM customers WHERE user_id = auth.uid()));
|
||||
|
||||
-- Admin/Manager: Modificar cualquier booking
|
||||
CREATE POLICY "bookings_modify_admin_manager" ON bookings
|
||||
FOR ALL
|
||||
USING (get_current_user_role() IN ('admin', 'manager'));
|
||||
|
||||
-- Staff: Modificar bookings de su ubicación
|
||||
CREATE POLICY "bookings_modify_staff_location" ON bookings
|
||||
FOR ALL
|
||||
USING (
|
||||
is_staff_or_higher() AND
|
||||
EXISTS (
|
||||
SELECT 1 FROM staff s WHERE s.user_id = auth.uid() AND s.location_id = bookings.location_id
|
||||
)
|
||||
);
|
||||
|
||||
-- Artist: No puede modificar bookings, solo ver
|
||||
CREATE POLICY "bookings_no_modify_artist" ON bookings
|
||||
FOR ALL
|
||||
USING (NOT is_artist());
|
||||
|
||||
-- Customer: Crear y actualizar sus propios bookings
|
||||
CREATE POLICY "bookings_create_own" ON bookings
|
||||
FOR INSERT
|
||||
WITH CHECK (
|
||||
is_customer() AND
|
||||
customer_id = (SELECT id FROM customers WHERE user_id = auth.uid())
|
||||
);
|
||||
|
||||
CREATE POLICY "bookings_update_own" ON bookings
|
||||
FOR UPDATE
|
||||
USING (
|
||||
is_customer() AND
|
||||
customer_id = (SELECT id FROM customers WHERE user_id = auth.uid())
|
||||
);
|
||||
|
||||
-- ============================================
|
||||
-- AUDIT LOGS POLICIES
|
||||
-- ============================================
|
||||
|
||||
-- Admin/Manager: Ver todos los audit logs
|
||||
CREATE POLICY "audit_logs_select_admin_manager" ON audit_logs
|
||||
FOR SELECT
|
||||
USING (get_current_user_role() IN ('admin', 'manager'));
|
||||
|
||||
-- Staff: Ver logs de su ubicación
|
||||
CREATE POLICY "audit_logs_select_staff_location" ON audit_logs
|
||||
FOR SELECT
|
||||
USING (
|
||||
is_staff_or_higher() AND
|
||||
EXISTS (
|
||||
SELECT 1 FROM bookings b
|
||||
JOIN staff s ON s.user_id = auth.uid()
|
||||
WHERE b.id = audit_logs.entity_id
|
||||
AND b.location_id = s.location_id
|
||||
)
|
||||
);
|
||||
|
||||
-- Solo backend puede insertar audit logs
|
||||
CREATE POLICY "audit_logs_no_insert" ON audit_logs
|
||||
FOR INSERT
|
||||
WITH CHECK (false);
|
||||
|
||||
-- ============================================
|
||||
-- END OF MIGRATION 002
|
||||
-- ============================================
|
||||
Reference in New Issue
Block a user