marcogll/AnchorOS
1
0
Fork 0
mirror of https://github.com/marcogll/AnchorOS.git synced 2026-03-15 11:24:26 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
4707ddbd5a7084408b48b9d4c152b070a713a4fb
AnchorOS/db/migrations/002_rls_policies.sql
Marco Gallegos 4707ddbd5a feat(salonos): implementar Fase 1.1 y 1.2 - Infraestructura y Esquema de Base de Datos 
Implementación completa de la Fase 1.1 y 1.2 del proyecto SalonOS:

## Cambios en Reglas de Negocio (PRD.md, AGENTS.md, TASKS.md)
- Actualizado reset de invitaciones de mensual a semanal (Lunes 00:00 UTC)
- Jerarquía de roles actualizada: Admin > Manager > Staff > Artist > Customer
- Artistas (antes colaboradoras) ahora tienen rol 'artist'
- Staff/Manager/Admin pueden ver PII de customers
- Artist solo ve nombre y notas de customers (restricción de privacidad)

## Estructura del Proyecto (Next.js 14)
- app/boutique/: Frontend de cliente
- app/hq/: Dashboard administrativo
- app/api/: API routes
- components/: Componentes UI reutilizables (boutique, hq, shared)
- lib/: Lógica de negocio (supabase, db, utils)
- db/: Esquemas, migraciones y seeds
- integrations/: Stripe, Google Calendar, WhatsApp
- scripts/: Scripts de utilidad y automatización
- docs/: Documentación del proyecto

## Esquema de Base de Datos (Supabase PostgreSQL)
8 tablas creadas:
- locations: Ubicaciones con timezone
- resources: Recursos físicos (estaciones, habitaciones, equipos)
- staff: Personal con roles jerárquicos
- services: Catálogo de servicios
- customers: Información de clientes con tier (free/gold)
- invitations: Sistema de invitaciones semanales
- bookings: Sistema de reservas con short_id (6 caracteres)
- audit_logs: Registro de auditoría automática

14 funciones creadas:
- generate_short_id(): Generador de Short ID (6 chars, collision-safe)
- generate_invitation_code(): Generador de códigos de invitación (10 chars)
- reset_weekly_invitations_for_customer(): Reset individual de invitaciones
- reset_all_weekly_invitations(): Reset masivo de invitaciones
- validate_secondary_artist_role(): Validación de secondary_artist
- log_audit(): Trigger de auditoría automática
- get_current_user_role(): Obtener rol del usuario actual
- is_staff_or_higher(): Verificar si es admin/manager/staff
- is_artist(): Verificar si es artist
- is_customer(): Verificar si es customer
- is_admin(): Verificar si es admin
- update_updated_at(): Actualizar timestamps
- generate_booking_short_id(): Generar Short ID automáticamente
- get_week_start(): Obtener inicio de semana

17+ triggers activos:
- Auditores automáticos en tablas críticas
- Timestamps updated_at en todas las tablas
- Validación de secondary_artist (trigger en lugar de constraint)

20+ políticas RLS configuradas:
- Restricción crítica: Artist no ve email/phone de customers
- Jerarquía de roles: Admin > Manager > Staff > Artist > Customer
- Políticas granulares por tipo de operación y rol

6 tipos ENUM:
- user_role: admin, manager, staff, artist, customer
- customer_tier: free, gold
- booking_status: pending, confirmed, cancelled, completed, no_show
- invitation_status: pending, used, expired
- resource_type: station, room, equipment
- audit_action: create, update, delete, reset_invitations, payment, status_change

## Scripts de Utilidad
- check-connection.sh: Verificar conexión a Supabase
- simple-verify.sh: Verificar migraciones instaladas
- simple-seed.sh: Crear datos de prueba
- create-auth-users.js: Crear usuarios de Auth en Supabase
- verify-migration.sql: Script de verificación SQL completo
- seed-data.sql: Script de seed de datos SQL completo

## Documentación
- docs/STEP_BY_STEP_VERIFICATION.md: Guía paso a paso de verificación
- docs/STEP_BY_STEP_AUTH_CONFIG.md: Guía paso a paso de configuración Auth
- docs/POST_MIGRATION_SUCCESS.md: Guía post-migración
- docs/MIGRATION_CORRECTION.md: Detalle de correcciones aplicadas
- docs/QUICK_START_POST_MIGRATION.md: Guía rápida de referencia
- docs/SUPABASE_DASHBOARD_MIGRATION.md: Guía de ejecución en Dashboard
- docs/00_FULL_MIGRATION_FINAL_README.md: Guía de migración final
- SIMPLE_GUIDE.md: Guía simple de inicio
- FASE_1_STATUS.md: Estado de la Fase 1

## Configuración
- package.json: Dependencias y scripts de npm
- tsconfig.json: Configuración TypeScript con paths aliases
- next.config.js: Configuración Next.js
- tailwind.config.ts: Tema personalizado con colores primary, secondary, gold
- postcss.config.js: Configuración PostCSS
- .gitignore: Archivos excluidos de git
- .env.example: Template de variables de entorno

## Correcciones Aplicadas
1. Constraint de subquery en CHECK reemplazado por trigger de validación
   - PostgreSQL no permite subqueries en CHECK constraints
   - validate_secondary_artist_role() ahora es un trigger

2. Variable no declarada en loop
   - customer_record RECORD; añadido en bloque DECLARE

## Principios Implementados
- UTC-first: Todos los timestamps se almacenan en UTC
- Sistema Doble Capa: Validación Staff/Artist + Recurso físico
- Reset semanal: Invitaciones se resetean cada Lunes 00:00 UTC
- Idempotencia: Procesos de reset son idempotentes y auditados
- Privacidad: Artist solo ve nombre y notas de customers
- Auditoría: Todas las acciones críticas se registran automáticamente
- Short ID: 6 caracteres alfanuméricos como referencia humana
- UUID: Identificador primario interno

## Próximos Pasos
- Ejecutar scripts de verificación y seed
- Configurar Auth en Supabase Dashboard
- Implementar Tarea 1.3: Short ID & Invitaciones (backend)
- Implementar Tarea 1.4: CRM Base (endpoints CRUD)
2026-01-15 14:58:28 -06:00

335 lines
10 KiB
PL/PgSQL
Raw Blame History

-- Migración 002: Políticas RLS por rol
-- Version: 002
-- Fecha: 2026-01-15
-- Descripción: Configuración de Row Level Security con jerarquía de roles y restricciones de privacidad
-- ============================================
-- HELPER FUNCTIONS
-- ============================================
-- Función para obtener el rol del usuario actual
CREATE OR REPLACE FUNCTION get_current_user_role()
RETURNS user_role AS $$
DECLARE
current_staff_role user_role;
current_user_id UUID := auth.uid();
BEGIN
SELECT s.role INTO current_staff_role
FROM staff s
WHERE s.user_id = current_user_id
LIMIT 1;
IF current_staff_role IS NOT NULL THEN
RETURN current_staff_role;
END IF;
-- Si es customer, verificar si existe en customers
IF EXISTS (SELECT 1 FROM customers WHERE user_id = current_user_id) THEN
RETURN 'customer';
END IF;
RETURN NULL;
END;
$$ LANGUAGE plpgsql SECURITY DEFINER;
-- Función para verificar si el usuario es staff o superior (admin, manager, staff)
CREATE OR REPLACE FUNCTION is_staff_or_higher()
RETURNS BOOLEAN AS $$
DECLARE
user_role user_role := get_current_user_role();
BEGIN
RETURN user_role IN ('admin', 'manager', 'staff');
END;
$$ LANGUAGE plpgsql SECURITY DEFINER;
-- Función para verificar si el usuario es artist
CREATE OR REPLACE FUNCTION is_artist()
RETURNS BOOLEAN AS $$
DECLARE
user_role user_role := get_current_user_role();
BEGIN
RETURN user_role = 'artist';
END;
$$ LANGUAGE plpgsql SECURITY DEFINER;
-- Función para verificar si el usuario es customer
CREATE OR REPLACE FUNCTION is_customer()
RETURNS BOOLEAN AS $$
DECLARE
user_role user_role := get_current_user_role();
BEGIN
RETURN user_role = 'customer';
END;
$$ LANGUAGE plpgsql SECURITY DEFINER;
-- Función para verificar si el usuario es admin
CREATE OR REPLACE FUNCTION is_admin()
RETURNS BOOLEAN AS $$
DECLARE
user_role user_role := get_current_user_role();
BEGIN
RETURN user_role = 'admin';
END;
$$ LANGUAGE plpgsql SECURITY DEFINER;
-- ============================================
-- ENABLE RLS ON ALL TABLES
-- ============================================
ALTER TABLE locations ENABLE ROW LEVEL SECURITY;
ALTER TABLE resources ENABLE ROW LEVEL SECURITY;
ALTER TABLE staff ENABLE ROW LEVEL SECURITY;
ALTER TABLE services ENABLE ROW LEVEL SECURITY;
ALTER TABLE customers ENABLE ROW LEVEL SECURITY;
ALTER TABLE invitations ENABLE ROW LEVEL SECURITY;
ALTER TABLE bookings ENABLE ROW LEVEL SECURITY;
ALTER TABLE audit_logs ENABLE ROW LEVEL SECURITY;
-- ============================================
-- LOCATIONS POLICIES
-- ============================================
-- Admin/Manager/Staff: Ver todas las locations activas
CREATE POLICY "locations_select_staff_higher" ON locations
FOR SELECT
USING (is_staff_or_higher() OR is_admin() OR is_admin());
-- Admin/Manager: Insertar, actualizar, eliminar locations
CREATE POLICY "locations_modify_admin_manager" ON locations
FOR ALL
USING (get_current_user_role() IN ('admin', 'manager'));
-- ============================================
-- RESOURCES POLICIES
-- ============================================
-- Staff o superior: Ver recursos activos
CREATE POLICY "resources_select_staff_higher" ON resources
FOR SELECT
USING (is_staff_or_higher() OR is_admin());
-- Artist: Ver recursos activos (necesario para ver disponibilidad)
CREATE POLICY "resources_select_artist" ON resources
FOR SELECT
USING (is_artist());
-- Admin/Manager: Modificar recursos
CREATE POLICY "resources_modify_admin_manager" ON resources
FOR ALL
USING (get_current_user_role() IN ('admin', 'manager'));
-- ============================================
-- STAFF POLICIES
-- ============================================
-- Admin/Manager: Ver todo el staff
CREATE POLICY "staff_select_admin_manager" ON staff
FOR SELECT
USING (get_current_user_role() IN ('admin', 'manager'));
-- Staff: Ver staff en su misma ubicación
CREATE POLICY "staff_select_same_location" ON staff
FOR SELECT
USING (
is_staff_or_higher() AND
EXISTS (
SELECT 1 FROM staff s WHERE s.user_id = auth.uid() AND s.location_id = staff.location_id
)
);
-- Artist: Ver solo otros artists en su misma ubicación
CREATE POLICY "staff_select_artist_view_artists" ON staff
FOR SELECT
USING (
is_artist() AND
EXISTS (
SELECT 1 FROM staff s WHERE s.user_id = auth.uid() AND s.location_id = staff.location_id
) AND
staff.role = 'artist'
);
-- Admin/Manager: Modificar staff
CREATE POLICY "staff_modify_admin_manager" ON staff
FOR ALL
USING (get_current_user_role() IN ('admin', 'manager'));
-- ============================================
-- SERVICES POLICIES
-- ============================================
-- Todos los usuarios autenticados: Ver servicios activos
CREATE POLICY "services_select_all" ON services
FOR SELECT
USING (is_active = true);
-- Admin/Manager: Ver y modificar todos los servicios
CREATE POLICY "services_all_admin_manager" ON services
FOR ALL
USING (get_current_user_role() IN ('admin', 'manager'));
-- ============================================
-- CUSTOMERS POLICIES
-- ============================================
-- Admin/Manager: Ver todo (incluyendo PII)
CREATE POLICY "customers_select_admin_manager" ON customers
FOR SELECT
USING (get_current_user_role() IN ('admin', 'manager'));
-- Staff: Ver todo (incluyendo PII) - Pueden ver email/phone según PRD actualizado
CREATE POLICY "customers_select_staff" ON customers
FOR SELECT
USING (is_staff_or_higher());
-- Artist: Solo nombre y notas, NO email ni phone
CREATE POLICY "customers_select_artist_restricted" ON customers
FOR SELECT
USING (is_artist());
-- Customer: Ver solo sus propios datos
CREATE POLICY "customers_select_own" ON customers
FOR SELECT
USING (is_customer() AND user_id = auth.uid());
-- Admin/Manager: Modificar cualquier cliente
CREATE POLICY "customers_modify_admin_manager" ON customers
FOR ALL
USING (get_current_user_role() IN ('admin', 'manager'));
-- Staff: Modificar cualquier cliente
CREATE POLICY "customers_modify_staff" ON customers
FOR ALL
USING (is_staff_or_higher());
-- Customer: Actualizar solo sus propios datos
CREATE POLICY "customers_update_own" ON customers
FOR UPDATE
USING (is_customer() AND user_id = auth.uid());
-- ============================================
-- INVITATIONS POLICIES
-- ============================================
-- Admin/Manager: Ver todas las invitaciones
CREATE POLICY "invitations_select_admin_manager" ON invitations
FOR SELECT
USING (get_current_user_role() IN ('admin', 'manager'));
-- Staff: Ver todas las invitaciones
CREATE POLICY "invitations_select_staff" ON invitations
FOR SELECT
USING (is_staff_or_higher());
-- Customer: Ver solo sus propias invitaciones (como inviter)
CREATE POLICY "invitations_select_own" ON invitations
FOR SELECT
USING (is_customer() AND inviter_id = (SELECT id FROM customers WHERE user_id = auth.uid()));
-- Admin/Manager: Modificar cualquier invitación
CREATE POLICY "invitations_modify_admin_manager" ON invitations
FOR ALL
USING (get_current_user_role() IN ('admin', 'manager'));
-- Staff: Modificar invitaciones
CREATE POLICY "invitations_modify_staff" ON invitations
FOR ALL
USING (is_staff_or_higher());
-- ============================================
-- BOOKINGS POLICIES
-- ============================================
-- Admin/Manager: Ver todos los bookings
CREATE POLICY "bookings_select_admin_manager" ON bookings
FOR SELECT
USING (get_current_user_role() IN ('admin', 'manager'));
-- Staff: Ver bookings de su ubicación
CREATE POLICY "bookings_select_staff_location" ON bookings
FOR SELECT
USING (
is_staff_or_higher() AND
EXISTS (
SELECT 1 FROM staff s WHERE s.user_id = auth.uid() AND s.location_id = bookings.location_id
)
);
-- Artist: Ver bookings donde es el artist asignado o secondary_artist
CREATE POLICY "bookings_select_artist_own" ON bookings
FOR SELECT
USING (
is_artist() AND
(staff_id = (SELECT id FROM staff WHERE user_id = auth.uid()) OR
secondary_artist_id = (SELECT id FROM staff WHERE user_id = auth.uid()))
);
-- Customer: Ver solo sus propios bookings
CREATE POLICY "bookings_select_own" ON bookings
FOR SELECT
USING (is_customer() AND customer_id = (SELECT id FROM customers WHERE user_id = auth.uid()));
-- Admin/Manager: Modificar cualquier booking
CREATE POLICY "bookings_modify_admin_manager" ON bookings
FOR ALL
USING (get_current_user_role() IN ('admin', 'manager'));
-- Staff: Modificar bookings de su ubicación
CREATE POLICY "bookings_modify_staff_location" ON bookings
FOR ALL
USING (
is_staff_or_higher() AND
EXISTS (
SELECT 1 FROM staff s WHERE s.user_id = auth.uid() AND s.location_id = bookings.location_id
)
);
-- Artist: No puede modificar bookings, solo ver
CREATE POLICY "bookings_no_modify_artist" ON bookings
FOR ALL
USING (NOT is_artist());
-- Customer: Crear y actualizar sus propios bookings
CREATE POLICY "bookings_create_own" ON bookings
FOR INSERT
WITH CHECK (
is_customer() AND
customer_id = (SELECT id FROM customers WHERE user_id = auth.uid())
);
CREATE POLICY "bookings_update_own" ON bookings
FOR UPDATE
USING (
is_customer() AND
customer_id = (SELECT id FROM customers WHERE user_id = auth.uid())
);
-- ============================================
-- AUDIT LOGS POLICIES
-- ============================================
-- Admin/Manager: Ver todos los audit logs
CREATE POLICY "audit_logs_select_admin_manager" ON audit_logs
FOR SELECT
USING (get_current_user_role() IN ('admin', 'manager'));
-- Staff: Ver logs de su ubicación
CREATE POLICY "audit_logs_select_staff_location" ON audit_logs
FOR SELECT
USING (
is_staff_or_higher() AND
EXISTS (
SELECT 1 FROM bookings b
JOIN staff s ON s.user_id = auth.uid()
WHERE b.id = audit_logs.entity_id
AND b.location_id = s.location_id
)
);
-- Solo backend puede insertar audit logs
CREATE POLICY "audit_logs_no_insert" ON audit_logs
FOR INSERT
WITH CHECK (false);
-- ============================================
-- END OF MIGRATION 002
-- ============================================
Reference in New Issue View Git Blame Copy Permalink