Enforce RLS when user opted in to MFA. (#188)

* Allow Super Admin to view tables using RLS * Replace previous usages of the Admin client using the authed client using the new RLS * Enforce MFA for Super Admin users * Enforce RLS when user opted in to MFA. * Add Super Admin Access Policies and Update Database Types * Consolidate super admin logic into a single function that uses the RPC is_super_admin * Added Super Admin E2E tests * Fixes and improvements * Bump version to 2.5.0
2025-03-02 10:21:01 +07:00
parent 9cf7bf0aac
commit 131b1061e6
61 changed files with 2193 additions and 302 deletions
--- a/packages/features/admin/src/lib/server/services/admin-auth-user.service.ts
+++ b/packages/features/admin/src/lib/server/services/admin-auth-user.service.ts
@@ -137,6 +137,17 @@ class AdminAuthUserService {
        `You cannot perform a destructive action on your own account as a Super Admin`,
      );
    }
+
+    const targetUser =
+      await this.adminClient.auth.admin.getUserById(targetUserId);
+
+    const targetUserRole = targetUser.data.user?.app_metadata?.role;
+
+    if (targetUserRole === 'super-admin') {
+      throw new Error(
+        `You cannot perform a destructive action on a Super Admin account`,
+      );
+    }
  }

  private async setBanDuration(userId: string, banDuration: string) {