Replace all marketing placeholder content with real MYeasyCMS content
- Logo: Replace generic Makerkit SVG with MYeasyCMS branded logo (grid icon + styled text) - Blog: Replace 3 SaaS placeholder posts with 5 real articles (Vereinsverwaltung, SEPA, Website, DSGVO, Mitglieder-Tipps) - Changelog: Replace 6 generic entries with real feature announcements (Verbandsverwaltung, Fischerei, Dateien, Kurse, Einladungen, i18n) - Documentation: Rewrite all 20 docs from Makerkit references to MYeasyCMS content - FAQ: Replace 6 generic SaaS questions with 10 real MYeasyCMS questions - Navigation: Replace Changelog link with Contact in main nav - Footer: Reorganize into Product/Company/Legal sections - Translations: Update all EN marketing strings to match real Com.BISS content
This commit is contained in:
Zaid Marzguioui
@@ -1,88 +1,41 @@
|
||||
---
|
||||
title: "Row Level Security"
|
||||
description: "Understanding and implementing Row Level Security (RLS) for data protection."
|
||||
title: "Zugriffsrechte"
|
||||
description: "Rollenbasierte Zugriffsrechte — wer welche Daten sehen und bearbeiten darf."
|
||||
publishedAt: 2024-04-11
|
||||
order: 2
|
||||
status: "published"
|
||||
---
|
||||
|
||||
> **Note:** This is mock/placeholder content for demonstration purposes.
|
||||
MYeasyCMS schützt Ihre Daten durch ein feingranulares Berechtigungssystem.
|
||||
|
||||
Row Level Security (RLS) is PostgreSQL's built-in authorization system that controls which rows users can access in database tables.
|
||||
## Rollenkonzept
|
||||
|
||||
## Why RLS?
|
||||
Jeder Benutzer erhält eine Rolle, die seinen Zugriff auf Module und Daten steuert. Das Prinzip: Jeder sieht nur das, was er für seine Aufgabe braucht.
|
||||
|
||||
RLS provides several advantages:
|
||||
- **Database-level security** - Protection even if application code has bugs
|
||||
- **Automatic enforcement** - No need for manual authorization checks
|
||||
- **Multi-tenant isolation** - Ensures users only see their own data
|
||||
- **Performance** - Optimized at the database level
|
||||
## Standardrollen
|
||||
|
||||
## Enabling RLS
|
||||
| Rolle | Zugriff |
|
||||
|-------|---------|
|
||||
| **Administrator** | Alle Module, Einstellungen, Benutzerverwaltung |
|
||||
| **Kassenwart** | Finanzen, Beiträge, Mitgliederdaten, SEPA |
|
||||
| **Kursleiter** | Kurse, Teilnehmer, Anwesenheit |
|
||||
| **Schriftführer** | Protokolle, Dokumente |
|
||||
| **Mitglied** | Eigene Daten über das Portal |
|
||||
|
||||
All tables should have RLS enabled:
|
||||
## Datenebene
|
||||
|
||||
```sql
|
||||
ALTER TABLE your_table ENABLE ROW LEVEL SECURITY;
|
||||
```
|
||||
Die Zugriffsrechte wirken auf Datenebene:
|
||||
|
||||
## Common Policy Patterns
|
||||
- Ein Kursleiter sieht nur die Teilnehmer seiner Kurse
|
||||
- Ein Mitglied sieht nur seine eigenen Daten im Portal
|
||||
- SEPA-Mandate und Bankverbindungen sind nur für den Kassenwart und Administratoren sichtbar
|
||||
|
||||
### Personal Account Access
|
||||
## Administratorrechte
|
||||
|
||||
```sql
|
||||
CREATE POLICY "Users can access their personal account data"
|
||||
ON your_table FOR ALL
|
||||
USING (account_id = auth.uid());
|
||||
```
|
||||
Nur Administratoren können:
|
||||
|
||||
### Team Account Access
|
||||
|
||||
```sql
|
||||
CREATE POLICY "Users can access their team account data"
|
||||
ON your_table FOR ALL
|
||||
USING (
|
||||
account_id IN (
|
||||
SELECT account_id FROM accounts_memberships
|
||||
WHERE user_id = auth.uid()
|
||||
)
|
||||
);
|
||||
```
|
||||
|
||||
### Read vs Write Permissions
|
||||
|
||||
```sql
|
||||
-- All members can read
|
||||
CREATE POLICY "Team members can view data"
|
||||
ON your_table FOR SELECT
|
||||
USING (account_id IN (SELECT get_user_accounts(auth.uid())));
|
||||
|
||||
-- Only owners can modify
|
||||
CREATE POLICY "Only owners can modify data"
|
||||
ON your_table FOR UPDATE
|
||||
USING (
|
||||
account_id IN (
|
||||
SELECT account_id FROM accounts_memberships
|
||||
WHERE user_id = auth.uid() AND role = 'owner'
|
||||
)
|
||||
);
|
||||
```
|
||||
|
||||
## Testing RLS Policies
|
||||
|
||||
Always test your RLS policies to ensure they work correctly:
|
||||
|
||||
```sql
|
||||
-- Test as specific user
|
||||
SET request.jwt.claims.sub = 'user-uuid-here';
|
||||
|
||||
-- Try to select data
|
||||
SELECT * FROM your_table;
|
||||
|
||||
-- Reset
|
||||
RESET request.jwt.claims.sub;
|
||||
```
|
||||
|
||||
## Admin Bypass
|
||||
|
||||
Service role keys bypass RLS. Use with extreme caution and always implement manual authorization checks when using the admin client.
|
||||
- Neue Benutzer einladen
|
||||
- Rollen zuweisen
|
||||
- Module aktivieren/deaktivieren
|
||||
- Vereinseinstellungen ändern
|
||||
- Das Audit-Protokoll einsehen
|
||||
|
||||
Reference in New Issue
Block a user