Merge pull request #10 from recogito/develop

Merge develop into main

.gitignore

@@ -8,4 +8,4 @@ node_modules
 .DS_Store
 priivate-scripts
 hold
-./supabase/functions/*
+/supabase/functions/*

SQL Scripts/functions/delete_project_invite.sql

@@ -0,0 +1,12 @@
+CREATE OR REPLACE FUNCTION delete_invite(_invite_id uuid) RETURNS bool AS $$
+DECLARE _project_id UUID;
+BEGIN
+    SELECT INTO _project_id i.project_id FROM public.invites i WHERE id = _invite_id;
+    IF is_admin_project(auth.uid(), _project_id) OR is_admin_organization(auth.uid()) THEN
+      DELETE FROM public.invites WHERE id = _invite_id;
+      RETURN TRUE;
+    END IF;
+    RETURN FALSE;
+END;
+$$ LANGUAGE plpgsql SECURITY DEFINER;
+

SQL Scripts/functions/get_layer_policies.sql

@@ -8,7 +8,10 @@ CREATE OR REPLACE FUNCTION get_layer_policies(_layer_id uuid)
             )
 AS
 $body$
+DECLARE
+    _project_id uuid;
 BEGIN
+    SELECT INTO _project_id l.project_id FROM public.layers l WHERE l.id = layer_id;
     RETURN QUERY SELECT gu.user_id, pg.layer_id, p.table_name, p.operation
                  FROM public.layer_groups pg
                           INNER JOIN public.group_users gu
@@ -17,7 +20,27 @@ BEGIN
                           INNER JOIN public.role_policies rp ON r.id = rp.role_id
                           INNER JOIN public.policies p ON rp.policy_id = p.id
                  WHERE gu.user_id = auth.uid()
-                   AND pg.layer_id = $1;
+                   AND pg.layer_id = $1
+                UNION
+                SELECT gu2.user_id, $1, p2.table_name, p2.operation
+                 FROM public.project_groups pg2
+                          INNER JOIN public.group_users gu2
+                                     ON pg2.id = gu2.type_id AND gu2.group_type = 'project' AND gu2.user_id = auth.uid()
+                          INNER JOIN public.roles r2 ON pg2.role_id = r2.id
+                          INNER JOIN public.role_policies rp2 ON r2.id = rp2.role_id
+                          INNER JOIN public.policies p2 ON rp2.policy_id = p2.id
+                 WHERE gu2.user_id = auth.uid()
+                   AND pg2.project_id = _project_id
+                UNION
+                SELECT gu3.user_id, $1, p3.table_name, p3.operation
+                 FROM public.organization_groups ag3
+                          INNER JOIN public.group_users gu3
+                                     ON ag3.id = gu3.type_id AND gu3.group_type = 'organization' AND
+                                        gu3.user_id = auth.uid()
+                          INNER JOIN public.roles r3 ON ag3.role_id = r3.id
+                          INNER JOIN public.role_policies rp3 ON r3.id = rp3.role_id
+                          INNER JOIN public.policies p3 ON rp3.policy_id = p3.id
+                 WHERE gu3.user_id = auth.uid();
 END ;
 $body$ LANGUAGE plpgsql SECURITY DEFINER;
 

SQL Scripts/functions/get_project_policies.sql

@@ -17,7 +17,17 @@ BEGIN
                           INNER JOIN public.role_policies rp ON r.id = rp.role_id
                           INNER JOIN public.policies p ON rp.policy_id = p.id
                  WHERE gu.user_id = auth.uid()
-                   AND pg.project_id = $1;
+                   AND pg.project_id = $1
+                UNION
+                SELECT gu3.user_id, $1, p3.table_name, p3.operation
+                 FROM public.organization_groups ag3
+                          INNER JOIN public.group_users gu3
+                                     ON ag3.id = gu3.type_id AND gu3.group_type = 'organization' AND
+                                        gu3.user_id = auth.uid()
+                          INNER JOIN public.roles r3 ON ag3.role_id = r3.id
+                          INNER JOIN public.role_policies rp3 ON r3.id = rp3.role_id
+                          INNER JOIN public.policies p3 ON rp3.policy_id = p3.id
+                 WHERE gu3.user_id = auth.uid();
 END ;
 $body$ LANGUAGE plpgsql SECURITY DEFINER;
 

SQL Scripts/policies/documents.sql

@@ -8,6 +8,7 @@ SELECT
             (
                 is_private = FALSE
                 OR created_by = auth.uid ()
+                OR is_admin_organization (auth.uid ())
             )
             AND public.check_action_policy_organization (auth.uid (), 'documents', 'SELECT')
             OR public.check_action_policy_project_from_document (auth.uid (), 'documents', 'SELECT', id)
@@ -24,8 +25,12 @@ WITH
             (
                 is_private = FALSE
                 OR created_by = auth.uid ()
+                OR is_admin_organization (auth.uid ())
+            )
+            AND (
+                collection_id ISNULL
+                OR is_admin_organization (auth.uid ())
             )
-            AND (collection_id ISNULL) 
             AND public.check_action_policy_organization (auth.uid (), 'documents', 'INSERT')
         )
         OR public.check_action_policy_project_from_document (auth.uid (), 'documents', 'INSERT', id)
@@ -34,42 +39,46 @@ WITH
 
 DROP POLICY IF EXISTS "Users with correct policies can UPDATE on documents" ON public.documents;
 
-CREATE POLICY "Users with correct policies can UPDATE on documents" ON public.documents
-FOR UPDATE
-    TO authenticated USING (
+CREATE POLICY "Users with correct policies can UPDATE on documents" ON public.documents FOR
+UPDATE TO authenticated USING (
+    (
         (
-            (
-                is_private = FALSE
-                OR created_by = auth.uid ()
-            )
-            AND (collection_id ISNULL) 
-            AND public.check_action_policy_organization (auth.uid (), 'documents', 'UPDATE')
+            is_private = FALSE
+            OR created_by = auth.uid ()
+            OR is_admin_organization (auth.uid ())
         )
-        OR (
-            (
-                is_private = FALSE
-                OR created_by = auth.uid ()
-            )
-            AND (collection_id ISNULL) 
-            AND public.check_action_policy_project_from_document (auth.uid (), 'documents', 'UPDATE', id)
+        AND (collection_id ISNULL)
+        AND public.check_action_policy_organization (auth.uid (), 'documents', 'UPDATE')
+    )
+    OR (
+        (
+            is_private = FALSE
+            OR created_by = auth.uid ()
         )
+        AND (collection_id ISNULL)
+        AND public.check_action_policy_project_from_document (auth.uid (), 'documents', 'UPDATE', id)
     )
+)
 WITH
     CHECK (
         (
             (
                 is_private = FALSE
                 OR created_by = auth.uid ()
+                OR is_admin_organization (auth.uid ())
+            )
+            AND (
+                collection_id ISNULL
+                OR is_admin_organization (auth.uid ())
             )
-            AND (collection_id ISNULL)            
             AND public.check_action_policy_organization (auth.uid (), 'documents', 'UPDATE')
         )
         OR (
             (
                 is_private = FALSE
                 OR created_by = auth.uid ()
             )
-            AND (collection_id ISNULL)              
+            AND (collection_id ISNULL)
             AND public.check_action_policy_project_from_document (auth.uid (), 'documents', 'UPDATE', id)
         )
     );
@@ -81,8 +90,12 @@ CREATE POLICY "Users with correct policies can DELETE on documents" ON public.do
         (
             is_private = FALSE
             OR created_by = auth.uid ()
+            OR is_admin_organization (auth.uid ())
+        )
+        AND (
+            collection_id ISNULL
+            OR is_admin_organization (auth.uid ())
         )
-        AND (collection_id ISNULL)        
         AND public.check_action_policy_organization (auth.uid (), 'documents', 'DELETE')
     )
     OR public.check_action_policy_project_from_document (auth.uid (), 'documents', 'DELETE', id)