Hugging Face's logo

Spaces:
shivay00001
/
undefined-elegance
Running

App Files Community
undefined-elegance
File size: 3,007 Bytes 
21bbe59
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
 
```sql
-- Enable Row Level Security on all tables
ALTER TABLE organizations ENABLE ROW LEVEL SECURITY;
ALTER TABLE user_profiles ENABLE ROW LEVEL SECURITY;
ALTER TABLE departments ENABLE ROW LEVEL SECURITY;
ALTER TABLE crm_leads ENABLE ROW LEVEL SECURITY;
ALTER TABLE hr_employees ENABLE ROW LEVEL SECURITY;
ALTER TABLE hr_attendance ENABLE ROW LEVEL SECURITY;
ALTER TABLE hr_leaves ENABLE ROW LEVEL SECURITY;
ALTER TABLE finance_invoices ENABLE ROW LEVEL SECURITY;
ALTER TABLE inventory_products ENABLE ROW LEVEL SECURITY;
ALTER TABLE inventory_stock_movements ENABLE ROW LEVEL SECURITY;
ALTER TABLE workflows ENABLE ROW LEVEL SECURITY;
ALTER TABLE audit_logs ENABLE ROW LEVEL SECURITY;

-- Superadmin can access everything
CREATE POLICY superadmin_all_access ON ALL TABLES
  TO authenticated
  USING (auth.uid() IN (SELECT id FROM user_profiles WHERE role = 'superadmin'));

-- Organization admin can access their org's data
CREATE POLICY org_admin_access ON organizations
  TO authenticated
  USING (id IN (SELECT organization_id FROM user_profiles WHERE id = auth.uid() AND role = 'org_admin'));

CREATE POLICY org_admin_user_profiles ON user_profiles
  TO authenticated
  USING (organization_id IN (SELECT organization_id FROM user_profiles WHERE id = auth.uid() AND role = 'org_admin'));

-- Department-based access for HR managers
CREATE POLICY hr_manager_employee_access ON hr_employees
  TO authenticated
  USING (
    organization_id IN (
      SELECT organization_id FROM user_profiles 
      WHERE id = auth.uid() AND 
      (role = 'hr_manager' OR role = 'org_admin') AND
      organization_id = hr_employees.organization_id
    )
  );

-- CRM lead access policies
CREATE POLICY crm_lead_manager_access ON crm_leads
  TO authenticated
  USING (
    organization_id IN (
      SELECT organization_id FROM user_profiles 
      WHERE id = auth.uid() AND 
      (role IN ('crm_lead_manager', 'org_admin')) AND
      organization_id = crm_leads.organization_id
    )
  );

-- Finance manager access
CREATE POLICY finance_manager_access ON finance_invoices
  TO authenticated
  USING (
    organization_id IN (
      SELECT organization_id FROM user_profiles 
      WHERE id = auth.uid() AND 
      (role IN ('finance_manager', 'org_admin')) AND
      organization_id = finance_invoices.organization_id
    )
  );

-- Inventory manager access
CREATE POLICY inventory_manager_access ON inventory_products
  TO authenticated
  USING (
    organization_id IN (
      SELECT organization_id FROM user_profiles 
      WHERE id = auth.uid() AND 
      (role IN ('inventory_manager', 'org_admin')) AND
      organization_id = inventory_products.organization_id
    )
  );

-- Regular employees can view their own records
CREATE POLICY employee_self_access ON user_profiles
  TO authenticated
  USING (id = auth.uid());

CREATE POLICY employee_own_attendance ON hr_attendance
  TO authenticated
  USING (
    employee_id IN (
      SELECT id FROM hr_employees 
      WHERE user_id = auth.uid()
    )
  );
```