supabase-storage-policies.sql

-- =====================================================
-- Supabase Storage Policies for Avatars Bucket
-- =====================================================
-- Run this in your Supabase SQL Editor after creating
-- the "avatars" bucket in Storage
-- =====================================================

-- Enable RLS on storage.objects (if not already enabled)
-- Note: This is usually enabled by default, but we include it for safety

-- Policy: Allow authenticated users to upload their own avatars
-- Users can only upload files that start with their user ID
CREATE POLICY "Users can upload their own avatars"
ON storage.objects
FOR INSERT
TO authenticated
WITH CHECK (
  bucket_id = 'avatars' AND
  (storage.foldername(name))[1] = auth.uid()::text OR
  name LIKE auth.uid()::text || '-%'
);

-- Policy: Allow authenticated users to update their own avatars
CREATE POLICY "Users can update their own avatars"
ON storage.objects
FOR UPDATE
TO authenticated
USING (
  bucket_id = 'avatars' AND
  (storage.foldername(name))[1] = auth.uid()::text OR
  name LIKE auth.uid()::text || '-%'
)
WITH CHECK (
  bucket_id = 'avatars' AND
  (storage.foldername(name))[1] = auth.uid()::text OR
  name LIKE auth.uid()::text || '-%'
);

-- Policy: Allow authenticated users to delete their own avatars
CREATE POLICY "Users can delete their own avatars"
ON storage.objects
FOR DELETE
TO authenticated
USING (
  bucket_id = 'avatars' AND
  (storage.foldername(name))[1] = auth.uid()::text OR
  name LIKE auth.uid()::text || '-%'
);

-- Policy: Allow public read access to avatars (so images can be displayed)
CREATE POLICY "Public can view avatars"
ON storage.objects
FOR SELECT
TO public
USING (bucket_id = 'avatars');

-- =====================================================
-- Alternative: Simpler policies if you want users to upload
-- files directly to the bucket root (no folders)
-- =====================================================

-- If the above policies don't work, try these simpler ones:

-- DROP POLICY IF EXISTS "Users can upload their own avatars" ON storage.objects;
-- DROP POLICY IF EXISTS "Users can update their own avatars" ON storage.objects;
-- DROP POLICY IF EXISTS "Users can delete their own avatars" ON storage.objects;
-- DROP POLICY IF EXISTS "Public can view avatars" ON storage.objects;

-- CREATE POLICY "Users can upload avatars"
-- ON storage.objects
-- FOR INSERT
-- TO authenticated
-- WITH CHECK (bucket_id = 'avatars' AND name LIKE auth.uid()::text || '-%');

-- CREATE POLICY "Users can update their avatars"
-- ON storage.objects
-- FOR UPDATE
-- TO authenticated
-- USING (bucket_id = 'avatars' AND name LIKE auth.uid()::text || '-%')
-- WITH CHECK (bucket_id = 'avatars' AND name LIKE auth.uid()::text || '-%');

-- CREATE POLICY "Users can delete their avatars"
-- ON storage.objects
-- FOR DELETE
-- TO authenticated
-- USING (bucket_id = 'avatars' AND name LIKE auth.uid()::text || '-%');

-- CREATE POLICY "Public can view avatars"
-- ON storage.objects
-- FOR SELECT
-- TO public
-- USING (bucket_id = 'avatars');

-- =====================================================
-- NOTES:
-- =====================================================
-- 1. Make sure the "avatars" bucket is created in Supabase Dashboard
--    - Go to Storage > Create bucket
--    - Name: "avatars"
--    - Public bucket: YES (so images can be accessed via URL)
--
-- 2. The policies above ensure:
--    - Users can only upload/update/delete files that start with their user ID
--    - Public can view all avatars (needed for displaying images)
--
-- 3. File naming convention: {user-id}-{timestamp}.{ext}
--    Example: 838e0b39-a805-410c-b6c8-c9526e255002-1234567890.jpg
--
-- 4. If you get permission errors, check:
--    - Bucket is set to "Public" in Storage settings
--    - Policies are correctly applied
--    - User is authenticated when uploading
-- =====================================================