-- =====================================================================================
-- RLS: 发票管理表
-- 位置：docs/sql/20_rls/finance/ml_invoices_rls_v1.sql
-- 对象类型：RLS 策略
-- 版本：v1
-- 说明：用户仅能查看自己的开票申请；管理端通过 RPC 访问
-- =====================================================================================

ALTER TABLE public.ml_invoices ENABLE ROW LEVEL SECURITY;

-- 策略 1: 允许用户读取自己的记录（仅未删除数据）
DROP POLICY IF EXISTS ml_invoices_user_select ON public.ml_invoices;
CREATE POLICY ml_invoices_user_select
  ON public.ml_invoices
  FOR SELECT
  TO authenticated
  USING (uid = auth.uid() AND deleted_at IS NULL);

-- 默认不开放 INSERT/UPDATE/DELETE 给普通用户，通常由 RPC 或支付后逻辑触发