Spaces:
Sleeping
Sleeping
File size: 3,663 Bytes
395651c | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 | -- ============================================================
-- FIX RLS & SESSION ASSETS (MathSolver v5.1 Worker Fix)
-- ============================================================
-- 1. Ensure session_assets table exists
CREATE TABLE IF NOT EXISTS public.session_assets (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
session_id UUID NOT NULL REFERENCES public.sessions(id) ON DELETE CASCADE,
job_id UUID NOT NULL,
asset_type TEXT NOT NULL CHECK (asset_type IN ('video', 'image')),
storage_path TEXT NOT NULL,
public_url TEXT NOT NULL,
version INTEGER NOT NULL DEFAULT 1,
created_at TIMESTAMP WITH TIME ZONE DEFAULT NOW()
);
-- Index for session_assets
CREATE INDEX IF NOT EXISTS idx_session_assets_session_id ON public.session_assets(session_id);
CREATE INDEX IF NOT EXISTS idx_session_assets_type ON public.session_assets(session_id, asset_type);
-- 2. Enable RLS for all tables
ALTER TABLE public.session_assets ENABLE ROW LEVEL SECURITY;
ALTER TABLE public.profiles ENABLE ROW LEVEL SECURITY;
ALTER TABLE public.sessions ENABLE ROW LEVEL SECURITY;
ALTER TABLE public.messages ENABLE ROW LEVEL SECURITY;
ALTER TABLE public.jobs ENABLE ROW LEVEL SECURITY;
-- 3. Fix Table Policies to allow SERVICE ROLE
-- In Supabase, service_role usually bypasses RLS, but we add explicit policies for safety
-- especially for path-based checks or when SECURITY DEFINER functions are used.
-- [Session Assets]
DROP POLICY IF EXISTS "Users view own assets" ON public.session_assets;
CREATE POLICY "Users view own assets" ON public.session_assets
FOR SELECT USING (
session_id IN (SELECT id FROM public.sessions WHERE user_id = auth.uid())
);
DROP POLICY IF EXISTS "Service role manages assets" ON public.session_assets;
CREATE POLICY "Service role manages assets" ON public.session_assets
FOR ALL USING (true)
WITH CHECK (true);
-- [Messages] - Allow Worker to insert assistant messages
DROP POLICY IF EXISTS "Users manage own messages" ON public.messages;
CREATE POLICY "Users manage own messages" ON public.messages
FOR ALL USING (
session_id IN (SELECT id FROM public.sessions WHERE user_id = auth.uid())
OR
(auth.jwt() ->> 'role' = 'service_role')
);
-- [Jobs] - Allow Worker to update job status
DROP POLICY IF EXISTS "Users manage own jobs" ON public.jobs;
CREATE POLICY "Users manage own jobs" ON public.jobs
FOR ALL USING (
auth.uid() = user_id
OR user_id IS NULL
OR (auth.jwt() ->> 'role' = 'service_role')
);
-- 4. Storage Policies (Bucket: video)
-- Ensure 'video' bucket exists
INSERT INTO storage.buckets (id, name, public)
VALUES ('video', 'video', true)
ON CONFLICT (id) DO UPDATE SET public = true;
-- [Storage: Worker / Service Role] - Allow all in video bucket
DROP POLICY IF EXISTS "Service Role manage videos" ON storage.objects;
CREATE POLICY "Service Role manage videos" ON storage.objects
FOR ALL
TO service_role
USING (bucket_id = 'video');
-- [Storage: Users] - Allow users to view their session videos
DROP POLICY IF EXISTS "Users view session videos" ON storage.objects;
CREATE POLICY "Users view session videos" ON storage.objects
FOR SELECT
TO authenticated
USING (
bucket_id = 'video'
AND (storage.foldername(name))[2] IN (
SELECT id::text FROM public.sessions WHERE user_id = auth.uid()
)
);
-- [Storage: Public] - Allow public read access to videos
DROP POLICY IF EXISTS "Public read videos" ON storage.objects;
CREATE POLICY "Public read videos" ON storage.objects
FOR SELECT
TO public
USING (bucket_id = 'video');
|