Patrick Toal
108c042921
fix(edge-fn): use user.id instead of claims.sub; fixes 500s and false cert_required fix(migrations): drop broad reservations SELECT policy; add reservation_slots view with security_invoker=false fix(tests): correct weekSlot() keys from start/end to start_time/end_time fix(tests): spread overlap test slots across separate ISO weeks fix(tests): update e2e assertion to match actual authenticated home text fix(app): hide IonMenu before user is authenticated feat(dx): add test:all script running unit, integration, and e2e in sequence docs(claude-md): document SELinux fix, Edge Function auth pattern, security_invoker behaviour
5 lines
352 B
SQL
5 lines
352 B
SQL
-- Drop the overly-broad SELECT policy that allowed any authenticated user to read
|
|
-- all reservations. Non-owner visibility is now handled by the reservation_slots
|
|
-- view (security_invoker, exposes only id/boat_id/start_time/end_time/status).
|
|
drop policy if exists "Authenticated users can read non-private reservation slots" on public.reservations;
|