zaid.marzguioui/myeasycms-v2
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix invitations to lower roles (#58)

Browse Source 
Adjusted the SQL query to include a condition for roles at the same hierarchy level. This ensures that users with the same level of permission can properly manage invitations, improving the accuracy of role-based access control.
This commit is contained in:
Giancarlo Buomprisco
2024-08-30 20:43:17 +08:00
committed by GitHub
parent e23489d308
commit 5fada83913
2 changed files with 26 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
apps/web/supabase/migrations/20221215192558_schema.sql
View File

@@ -1234,7 +1234,7 @@ select
-- INSERT(invitations):
-- Users can create invitations to users of an account they are
-- a member of and have the 'invites.manage' permission AND the target role is not higher than the user's role
-- a member of and have the 'invites.manage' permission AND the target role is not higher than the user's role
create policy invitations_create_self on public.invitations for insert to authenticated
with
check (
@@ -1247,14 +1247,21 @@ with
account_id,
'invites.manage'::public.app_permissions
)
and public.has_same_role_hierarchy_level (
and (public.has_more_elevated_role (
(
select
auth.uid ()
),
account_id,
role
)
) or public.has_same_role_hierarchy_level(
(
select
auth.uid ()
),
account_id,
role
))
);
-- UPDATE(invitations):