Patrick Toal
108c042921
fix(edge-fn): use user.id instead of claims.sub; fixes 500s and false cert_required fix(migrations): drop broad reservations SELECT policy; add reservation_slots view with security_invoker=false fix(tests): correct weekSlot() keys from start/end to start_time/end_time fix(tests): spread overlap test slots across separate ISO weeks fix(tests): update e2e assertion to match actual authenticated home text fix(app): hide IonMenu before user is authenticated feat(dx): add test:all script running unit, integration, and e2e in sequence docs(claude-md): document SELinux fix, Edge Function auth pattern, security_invoker behaviour
15 lines
574 B
SQL
15 lines
574 B
SQL
-- The reservation_slots view was created with security_invoker=true, which means
|
|
-- it evaluates RLS as the calling user. After removing the broad select policy,
|
|
-- other members see 0 rows. Switch to security_definer so the view runs as the
|
|
-- owner (bypassing RLS), while still exposing only the safe columns.
|
|
|
|
drop view if exists public.reservation_slots;
|
|
|
|
create view public.reservation_slots
|
|
with (security_invoker = false)
|
|
as
|
|
select id, boat_id, start_time, end_time, status
|
|
from public.reservations;
|
|
|
|
grant select on public.reservation_slots to authenticated;
|