Skip to content

Commit 4c470e6

Browse files
lovable-dev[bot]lovable-dev[bot]
committed
Approve lovable tool use
1 parent d929776 commit 4c470e6

2 files changed

Lines changed: 73 additions & 0 deletions

File tree

src/integrations/supabase/types.ts

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -606,6 +606,10 @@ export type Database = {
606606
Args: { campaign_id: string; requesting_user_id?: string }
607607
Returns: boolean
608608
}
609+
validate_campaign_ownership: {
610+
Args: { campaign_id: string; user_id?: string }
611+
Returns: boolean
612+
}
609613
}
610614
Enums: {
611615
[_ in never]: never

supabase/migrations/20250905162908_354208e3-0749-4ae1-b4ff-e7ba1f05480e.sql

Lines changed: 69 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,69 @@
1+
-- Drop existing policies that may be incorrectly configured
2+
DROP POLICY IF EXISTS "Users can create affiliates for their campaigns" ON public.affiliates;
3+
DROP POLICY IF EXISTS "Users can delete affiliates of their campaigns" ON public.affiliates;
4+
DROP POLICY IF EXISTS "Users can update affiliates of their campaigns" ON public.affiliates;
5+
DROP POLICY IF EXISTS "Users can view affiliates of their campaigns" ON public.affiliates;
6+
7+
-- Create secure RLS policies that check campaign ownership instead of direct user_id matching
8+
CREATE POLICY "Users can view affiliates of their own campaigns"
9+
ON public.affiliates
10+
FOR SELECT
11+
TO authenticated
12+
USING (
13+
EXISTS (
14+
SELECT 1 FROM public.campaigns
15+
WHERE campaigns.id = affiliates.campaign_id
16+
AND campaigns.user_id = auth.uid()
17+
)
18+
);
19+
20+
CREATE POLICY "Users can create affiliates for their own campaigns"
21+
ON public.affiliates
22+
FOR INSERT
23+
TO authenticated
24+
WITH CHECK (
25+
EXISTS (
26+
SELECT 1 FROM public.campaigns
27+
WHERE campaigns.id = affiliates.campaign_id
28+
AND campaigns.user_id = auth.uid()
29+
)
30+
);
31+
32+
CREATE POLICY "Users can update affiliates of their own campaigns"
33+
ON public.affiliates
34+
FOR UPDATE
35+
TO authenticated
36+
USING (
37+
EXISTS (
38+
SELECT 1 FROM public.campaigns
39+
WHERE campaigns.id = affiliates.campaign_id
40+
AND campaigns.user_id = auth.uid()
41+
)
42+
);
43+
44+
CREATE POLICY "Users can delete affiliates of their own campaigns"
45+
ON public.affiliates
46+
FOR DELETE
47+
TO authenticated
48+
USING (
49+
EXISTS (
50+
SELECT 1 FROM public.campaigns
51+
WHERE campaigns.id = affiliates.campaign_id
52+
AND campaigns.user_id = auth.uid()
53+
)
54+
);
55+
56+
-- Add additional security function to validate campaign ownership
57+
CREATE OR REPLACE FUNCTION public.validate_campaign_ownership(campaign_id uuid, user_id uuid DEFAULT auth.uid())
58+
RETURNS boolean
59+
LANGUAGE plpgsql
60+
SECURITY DEFINER
61+
SET search_path = public
62+
AS $$
63+
BEGIN
64+
RETURN EXISTS (
65+
SELECT 1 FROM campaigns
66+
WHERE id = campaign_id AND campaigns.user_id = validate_campaign_ownership.user_id
67+
);
68+
END;
69+
$$;

0 commit comments

Comments
 (0)