Hugging Face's logo

Spaces:
youngtsai
/
career_app
Build error

App Files Community
career_app
File size: 4,157 Bytes
e66ee1b
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
 
-- Enable Row Level Security (RLS) for all tables in the public schema
-- This script addresses the security issues identified by Supabase Security Advisor

-- 1. Enable RLS on all tables
ALTER TABLE public.agents ENABLE ROW LEVEL SECURITY;
ALTER TABLE public.agent_versions ENABLE ROW LEVEL SECURITY;
ALTER TABLE public.datasources ENABLE ROW LEVEL SECURITY;
ALTER TABLE public.documents ENABLE ROW LEVEL SECURITY;
ALTER TABLE public.chunks ENABLE ROW LEVEL SECURITY;
ALTER TABLE public.embeddings ENABLE ROW LEVEL SECURITY;
ALTER TABLE public.collections ENABLE ROW LEVEL SECURITY;
ALTER TABLE public.collection_items ENABLE ROW LEVEL SECURITY;
ALTER TABLE public.pipeline_runs ENABLE ROW LEVEL SECURITY;
ALTER TABLE public.chat_logs ENABLE ROW LEVEL SECURITY;

-- 2. Create RLS policies for service role (backend API access)
-- These policies allow the service role full access while protecting from direct client access

-- Agents table policies
CREATE POLICY "Service role can manage agents" ON public.agents
    FOR ALL
    USING (auth.role() = 'service_role')
    WITH CHECK (auth.role() = 'service_role');

-- Agent versions table policies
CREATE POLICY "Service role can manage agent versions" ON public.agent_versions
    FOR ALL
    USING (auth.role() = 'service_role')
    WITH CHECK (auth.role() = 'service_role');

-- Datasources table policies
CREATE POLICY "Service role can manage datasources" ON public.datasources
    FOR ALL
    USING (auth.role() = 'service_role')
    WITH CHECK (auth.role() = 'service_role');

-- Documents table policies
CREATE POLICY "Service role can manage documents" ON public.documents
    FOR ALL
    USING (auth.role() = 'service_role')
    WITH CHECK (auth.role() = 'service_role');

-- Chunks table policies
CREATE POLICY "Service role can manage chunks" ON public.chunks
    FOR ALL
    USING (auth.role() = 'service_role')
    WITH CHECK (auth.role() = 'service_role');

-- Embeddings table policies
CREATE POLICY "Service role can manage embeddings" ON public.embeddings
    FOR ALL
    USING (auth.role() = 'service_role')
    WITH CHECK (auth.role() = 'service_role');

-- Collections table policies
CREATE POLICY "Service role can manage collections" ON public.collections
    FOR ALL
    USING (auth.role() = 'service_role')
    WITH CHECK (auth.role() = 'service_role');

-- Collection items table policies
CREATE POLICY "Service role can manage collection items" ON public.collection_items
    FOR ALL
    USING (auth.role() = 'service_role')
    WITH CHECK (auth.role() = 'service_role');

-- Pipeline runs table policies
CREATE POLICY "Service role can manage pipeline runs" ON public.pipeline_runs
    FOR ALL
    USING (auth.role() = 'service_role')
    WITH CHECK (auth.role() = 'service_role');

-- Chat logs table policies
CREATE POLICY "Service role can manage chat logs" ON public.chat_logs
    FOR ALL
    USING (auth.role() = 'service_role')
    WITH CHECK (auth.role() = 'service_role');

-- 3. Optional: Add read-only policies for authenticated users (if needed in future)
-- Uncomment these if you want authenticated users to read certain data

-- CREATE POLICY "Authenticated users can read documents" ON public.documents
--     FOR SELECT
--     USING (auth.role() = 'authenticated');

-- CREATE POLICY "Authenticated users can read chunks" ON public.chunks
--     FOR SELECT
--     USING (auth.role() = 'authenticated');

-- 4. Grant necessary permissions to service role
GRANT ALL ON public.agents TO service_role;
GRANT ALL ON public.agent_versions TO service_role;
GRANT ALL ON public.datasources TO service_role;
GRANT ALL ON public.documents TO service_role;
GRANT ALL ON public.chunks TO service_role;
GRANT ALL ON public.embeddings TO service_role;
GRANT ALL ON public.collections TO service_role;
GRANT ALL ON public.collection_items TO service_role;
GRANT ALL ON public.pipeline_runs TO service_role;
GRANT ALL ON public.chat_logs TO service_role;

-- Note: After running this script, the backend API should use the service_role key
-- Never expose the service_role key to the client/frontend
-- The anon key should be used for any client-side operations (currently none)