-- ===================================================================================== -- RLS: 系统配置表安全策略 -- 位置:docs/sql/20_rls/admin/ml_system_configs_rls_v1.sql -- 对象类型:RLS 策略 -- 版本:v1 -- 说明:允许所有登录用户读取配置;管理端全量操作通过 RPC (SECURITY DEFINER) 执行 -- ===================================================================================== -- 启用 RLS ALTER TABLE public.ml_system_configs ENABLE ROW LEVEL SECURITY; -- 1. 允许所有登录用户读取配置 (用于前端业务逻辑判断) DROP POLICY IF EXISTS system_configs_select_policy ON public.ml_system_configs; CREATE POLICY system_configs_select_policy ON public.ml_system_configs FOR SELECT TO authenticated USING (deleted_at IS NULL); -- 管理端全量管理将通过 SECURITY DEFINER 的 RPC 接口执行,此处不再额外开放直接表操作 -- ===================================================================================== -- RLS: 权限管理 (Auth) 安全策略 -- 位置:docs/sql/20_rls/auth/ak_auth_rls_v1.sql -- 对象类型:RLS 策略 -- 版本:v1 -- 说明:角色与权限表默认不对外开放,全量管理通过 SECURITY DEFINER RPC 执行 -- ===================================================================================== -- 启用 RLS ALTER TABLE public.ak_roles ENABLE ROW LEVEL SECURITY; ALTER TABLE public.ak_permissions ENABLE ROW LEVEL SECURITY; ALTER TABLE public.ak_admin_roles ENABLE ROW LEVEL SECURITY; ALTER TABLE public.ak_role_permissions ENABLE ROW LEVEL SECURITY; -- 默认策略:NO DIRECT ACCESS -- 所有的查询和修改均建议通过 docs/sql/30_rpc/auth/ 下的专用管理接口完成 -- 这样可以确保鉴权逻辑与 ak_users.role 强制绑定,且具备审计能力 -- ===================================================================================== -- RLS: 内容管理模块安全策略 -- 位置:docs/sql/20_rls/cms/ml_cms_rls_v1.sql -- 对象类型:RLS 策略 -- 版本:v1 -- 说明:消费者端可读(仅已发布/启用);管理端通过 RPC 访问 -- ===================================================================================== -- 1. 开启 RLS ALTER TABLE public.ml_article_categories ENABLE ROW LEVEL SECURITY; ALTER TABLE public.ml_articles ENABLE ROW LEVEL SECURITY; -- 2. 分类表策略:允许所有人读取启用的分类 DROP POLICY IF EXISTS ml_article_categories_select_active ON public.ml_article_categories; CREATE POLICY ml_article_categories_select_active ON public.ml_article_categories FOR SELECT TO anon, authenticated USING (status = 1 AND deleted_at IS NULL); -- 3. 文章表策略:允许所有人读取已发布的文章 DROP POLICY IF EXISTS ml_articles_select_published ON public.ml_articles; CREATE POLICY ml_articles_select_published ON public.ml_articles FOR SELECT TO anon, authenticated USING (status = 1 AND deleted_at IS NULL); -- 默认不开放 INSERT/UPDATE/DELETE 给普通用户,管理端操作通过 RPC (SECURITY DEFINER) 执行 -- ===================================================================================== -- RLS: 装修模块 - DIY 页面安全策略 -- 位置:docs/sql/20_rls/decoration/ml_decoration_rls_v1.sql -- 对象类型:RLS 策略 -- 版本:v1 -- 说明:消费者端公开只读已发布的页面;管理端通过 SECURITY DEFINER RPC 进行管理 -- ===================================================================================== -- 1. 启用 RLS ALTER TABLE public.ak_diy_pages ENABLE ROW LEVEL SECURITY; -- 2. 消费者端策略:允许匿名和登录用户读取已启用的页面 DROP POLICY IF EXISTS diy_pages_select_active ON public.ak_diy_pages; CREATE POLICY diy_pages_select_active ON public.ak_diy_pages FOR SELECT TO anon, authenticated USING (is_active = true AND deleted_at IS NULL); -- 管理端全量管理将通过 SECURITY DEFINER 的 RPC 接口执行,此处不再额外开放直接表操作 -- ===================================================================================== -- RLS: 物流设置 (Delivery) 安全策略 -- 位置:docs/sql/20_rls/delivery/ak_delivery_rls_v1.sql -- 对象类型:RLS 策略 -- 版本:v1 -- 说明:配送员表管理端私有;提货点表消费者端只读 -- ===================================================================================== -- 启用 RLS ALTER TABLE public.ml_delivery_staff ENABLE ROW LEVEL SECURITY; ALTER TABLE public.ml_delivery_stations ENABLE ROW LEVEL SECURITY; -- 1. 配送员表策略:默认不开放直接访问 -- 全量管理通过 docs/sql/30_rpc/delivery/ 下的 RPC 执行 -- 2. 提货点表策略:允许消费者端只读(用于地图展示和下单选择) DROP POLICY IF EXISTS delivery_stations_select_active ON public.ml_delivery_stations; CREATE POLICY delivery_stations_select_active ON public.ml_delivery_stations FOR SELECT TO anon, authenticated USING (status = 1 AND deleted_at IS NULL); -- 管理端全量管理将通过 SECURITY DEFINER 的 RPC 接口执行 -- ===================================================================================== -- RLS: 医养执行端 Delivery 安全策略升级 -- 位置:docs/sql/20_rls/delivery/ak_delivery_rls_v2.sql -- 对象类型:RLS 策略 -- 版本:v2 -- 说明:保留管理端通过 SECURITY DEFINER RPC 管理,补充执行人员本人直读自己档案。 -- ===================================================================================== ALTER TABLE public.ml_delivery_staff ENABLE ROW LEVEL SECURITY; ALTER TABLE public.ml_delivery_stations ENABLE ROW LEVEL SECURITY; -- 清理旧策略 DROP POLICY IF EXISTS delivery_staff_self_select ON public.ml_delivery_staff; DROP POLICY IF EXISTS delivery_staff_self_update ON public.ml_delivery_staff; DROP POLICY IF EXISTS delivery_stations_select_active ON public.ml_delivery_stations; -- 1. 执行人员本人可直读自己的未删除档案 CREATE POLICY delivery_staff_self_select ON public.ml_delivery_staff FOR SELECT TO authenticated USING ( deleted_at IS NULL AND EXISTS ( SELECT 1 FROM public.ak_users u WHERE u.id = ml_delivery_staff.uid AND u.auth_id = auth.uid() ) ); -- 2. 执行人员本人可更新自己的在线状态等自有档案字段 CREATE POLICY delivery_staff_self_update ON public.ml_delivery_staff FOR UPDATE TO authenticated USING ( deleted_at IS NULL AND EXISTS ( SELECT 1 FROM public.ak_users u WHERE u.id = ml_delivery_staff.uid AND u.auth_id = auth.uid() ) ) WITH CHECK ( deleted_at IS NULL AND EXISTS ( SELECT 1 FROM public.ak_users u WHERE u.id = ml_delivery_staff.uid AND u.auth_id = auth.uid() ) ); -- 3. 提货点/机构对前台保持只读,仅返回启用且未删除数据 CREATE POLICY delivery_stations_select_active ON public.ml_delivery_stations FOR SELECT TO anon, authenticated USING (status = 1 AND deleted_at IS NULL); -- 4. 派单候选人读取统一走 SECURITY DEFINER RPC,不再开放公开可派单列表 RLS -- 5. 其余直连写操作默认不开放,管理端统一走 SECURITY DEFINER RPC -- ===================================================================================== -- RLS: 分销模块安全策略 -- 位置:docs/sql/20_rls/distribution/ml_distribution_rls_v1.sql -- 对象类型:RLS 策略 -- 版本:v1 -- 说明:管理端全量权限通过 SECURITY DEFINER RPC 执行;用户仅能访问个人关联数据 -- ===================================================================================== -- 启用 RLS ALTER TABLE public.ak_distribution_config ENABLE ROW LEVEL SECURITY; ALTER TABLE public.ak_distribution_level ENABLE ROW LEVEL SECURITY; ALTER TABLE public.ak_promoter_relations ENABLE ROW LEVEL SECURITY; ALTER TABLE public.ak_commission_logs ENABLE ROW LEVEL SECURITY; ALTER TABLE public.ak_distribution_divisions ENABLE ROW LEVEL SECURITY; ALTER TABLE public.ak_distribution_agents ENABLE ROW LEVEL SECURITY; ALTER TABLE public.ak_distribution_agent_applications ENABLE ROW LEVEL SECURITY; -- 1. 分销配置:允许所有登录用户读取(消费者端展示逻辑需要) DROP POLICY IF EXISTS dist_config_select_policy ON public.ak_distribution_config; CREATE POLICY dist_config_select_policy ON public.ak_distribution_config FOR SELECT TO authenticated USING (deleted_at IS NULL); -- 2. 分销等级:允许所有登录用户读取可见等级 DROP POLICY IF EXISTS dist_level_select_policy ON public.ak_distribution_level; CREATE POLICY dist_level_select_policy ON public.ak_distribution_level FOR SELECT TO authenticated USING (is_visible = true AND deleted_at IS NULL); -- 3. 推广员关系:用户仅能查看与自己相关的记录 DROP POLICY IF EXISTS promoter_relations_select_policy ON public.ak_promoter_relations; CREATE POLICY promoter_relations_select_policy ON public.ak_promoter_relations FOR SELECT TO authenticated USING ((uid = auth.uid() OR inviter_uid = auth.uid()) AND deleted_at IS NULL); -- 4. 佣金日志:用户仅能查看自己的佣金记录 DROP POLICY IF EXISTS commission_logs_select_policy ON public.ak_commission_logs; CREATE POLICY commission_logs_select_policy ON public.ak_commission_logs FOR SELECT TO authenticated USING (uid = auth.uid() AND deleted_at IS NULL); -- 5. 事业部与代理商:允许登录用户查看启用的记录 DROP POLICY IF EXISTS dist_divisions_select_policy ON public.ak_distribution_divisions; CREATE POLICY dist_divisions_select_policy ON public.ak_distribution_divisions FOR SELECT TO authenticated USING (is_enabled = true AND deleted_at IS NULL); DROP POLICY IF EXISTS dist_agents_select_policy ON public.ak_distribution_agents; CREATE POLICY dist_agents_select_policy ON public.ak_distribution_agents FOR SELECT TO authenticated USING (is_enabled = true AND deleted_at IS NULL); -- 6. 代理商申请:用户仅能管理自己的申请记录 DROP POLICY IF EXISTS dist_apply_user_policy ON public.ak_distribution_agent_applications; CREATE POLICY dist_apply_user_policy ON public.ak_distribution_agent_applications FOR ALL TO authenticated USING (uid = auth.uid() AND deleted_at IS NULL) WITH CHECK (uid = auth.uid()); -- 管理端全量管理将通过 SECURITY DEFINER 的 RPC 接口执行,此处不再额外开放直接表操作 -- ===================================================================================== -- RLS: 用户提现申请表 -- 位置:docs/sql/20_rls/finance/ -- 对象类型:RLS 策略 -- 版本:v1 -- 说明:仅允许用户查看自己的提现记录;管理端通过 RPC 访问 -- ===================================================================================== ALTER TABLE public.ml_extract ENABLE ROW LEVEL SECURITY; -- 策略 1: 允许用户读取自己的提现申请 DROP POLICY IF EXISTS ml_extract_user_select ON public.ml_extract; CREATE POLICY ml_extract_user_select ON public.ml_extract FOR SELECT TO authenticated USING (uid = auth.uid() AND deleted_at IS NULL); -- 默认不开放 INSERT/UPDATE/DELETE 给普通用户 -- 提现申请通常由特定的 RPC 函数 (security definer) 创建,以确保业务逻辑(如冻结余额)的原子性 -- ===================================================================================== -- RLS: 发票管理表 -- 位置:docs/sql/20_rls/finance/ml_invoices_rls_v1.sql -- 对象类型:RLS 策略 -- 版本:v1 -- 说明:用户仅能查看自己的开票申请;管理端通过 RPC 访问 -- ===================================================================================== ALTER TABLE public.ml_invoices ENABLE ROW LEVEL SECURITY; -- 策略 1: 允许用户读取自己的记录(仅未删除数据) DROP POLICY IF EXISTS ml_invoices_user_select ON public.ml_invoices; CREATE POLICY ml_invoices_user_select ON public.ml_invoices FOR SELECT TO authenticated USING (uid = auth.uid() AND deleted_at IS NULL); -- 默认不开放 INSERT/UPDATE/DELETE 给普通用户,通常由 RPC 或支付后逻辑触发 -- ===================================================================================== -- RLS: 用户资金流水表 -- 位置:docs/sql/20_rls/finance/ -- 对象类型:RLS 策略 -- 版本:v1 -- 说明:仅允许用户查看自己的流水记录;管理端通过 RPC 访问 -- ===================================================================================== ALTER TABLE public.ml_user_bill ENABLE ROW LEVEL SECURITY; -- 策略 1: 允许用户读取自己的记录(仅未删除数据) DROP POLICY IF EXISTS ml_user_bill_user_select ON public.ml_user_bill; CREATE POLICY ml_user_bill_user_select ON public.ml_user_bill FOR SELECT TO authenticated USING (uid = auth.uid() AND deleted_at IS NULL); -- 默认不开放 INSERT/UPDATE/DELETE 给普通用户,由后端逻辑或 RPC 触发 -- ===================================================================================== -- RLS: 用户充值记录表 -- 位置:docs/sql/20_rls/finance/ -- 对象类型:RLS 策略 -- 版本:v1 -- 说明:仅允许用户查看自己的充值记录;管理端通过 RPC 访问 -- ===================================================================================== ALTER TABLE public.ml_user_recharge ENABLE ROW LEVEL SECURITY; -- 策略 1: 允许用户读取自己的记录(仅未删除数据) DROP POLICY IF EXISTS ml_user_recharge_user_select ON public.ml_user_recharge; CREATE POLICY ml_user_recharge_user_select ON public.ml_user_recharge FOR SELECT TO authenticated USING (uid = auth.uid() AND deleted_at IS NULL); -- 默认不开放 INSERT/UPDATE/DELETE 给普通用户,写操作通常由业务逻辑或支付回调触发 -- ===================================================================================== -- RLS: 客服模块安全策略 -- 位置:docs/sql/20_rls/kefu/ml_kefu_rls_v1.sql -- 对象类型:RLS 策略 -- 版本:v1 -- 说明:管理端全量访问通过 RPC 完成;用户仅能操作自己的留言反馈 -- ===================================================================================== -- 开启所有表的 RLS ALTER TABLE public.ml_kefu_accounts ENABLE ROW LEVEL SECURITY; ALTER TABLE public.ml_kefu_word_categories ENABLE ROW LEVEL SECURITY; ALTER TABLE public.ml_kefu_words ENABLE ROW LEVEL SECURITY; ALTER TABLE public.ml_kefu_feedbacks ENABLE ROW LEVEL SECURITY; ALTER TABLE public.ml_kefu_auto_replies ENABLE ROW LEVEL SECURITY; -- 1. 留言反馈表策略 -- 允许登录用户插入自己的留言 DROP POLICY IF EXISTS ml_kefu_feedbacks_user_insert ON public.ml_kefu_feedbacks; CREATE POLICY ml_kefu_feedbacks_user_insert ON public.ml_kefu_feedbacks FOR INSERT TO authenticated WITH CHECK (user_id = auth.uid()); -- 允许用户查看自己的留言 DROP POLICY IF EXISTS ml_kefu_feedbacks_user_select ON public.ml_kefu_feedbacks; CREATE POLICY ml_kefu_feedbacks_user_select ON public.ml_kefu_feedbacks FOR SELECT TO authenticated USING (user_id = auth.uid()); -- 其他表(账号、话术、自动回复)默认不向 anon/authenticated 角色开放 SELECT/INSERT/UPDATE/DELETE -- 管理端全量管理将通过 SECURITY DEFINER 的 RPC 函数执行 -- ===================================================================================== -- RLS Policy: 优惠券模板表权限控制 -- 位置:docs/sql/20_rls/marketing/ml_coupon_templates_rls_v1.sql -- 说明:确保商家仅能管理自己的优惠券模板,管理员拥有全权限。 -- ===================================================================================== -- 1. 启用 RLS ALTER TABLE public.ml_coupon_templates ENABLE ROW LEVEL SECURITY; -- 2. 创建权限策略 -- 允许商家管理自己的模板 CREATE POLICY ml_coupon_templates_merchant_policy ON public.ml_coupon_templates FOR ALL TO authenticated USING ( merchant_id = auth.uid() OR EXISTS ( SELECT 1 FROM public.ak_users WHERE id = auth.uid() AND role = 'admin' ) ) WITH CHECK ( merchant_id = auth.uid() OR EXISTS ( SELECT 1 FROM public.ak_users WHERE id = auth.uid() AND role = 'admin' ) ); -- 允许所有认证用户查看模板(用于前台领取) CREATE POLICY ml_coupon_templates_select_policy ON public.ml_coupon_templates FOR SELECT TO authenticated USING (status = 1); -- ===================================================================================== -- RLS: 营销核心活动表安全策略 -- 位置:docs/sql/20_rls/marketing/ml_marketing_activities_rls_v1.sql -- 对象类型:RLS 策略 -- 版本:v1 -- 说明:消费者端公开只读;管理端操作由 RPC (SECURITY DEFINER) 承载 -- ===================================================================================== -- 启用 RLS ALTER TABLE public.ak_seckill_activities ENABLE ROW LEVEL SECURITY; ALTER TABLE public.ak_combination_activities ENABLE ROW LEVEL SECURITY; ALTER TABLE public.ak_marketing_bargains ENABLE ROW LEVEL SECURITY; ALTER TABLE public.ak_marketing_groupbuys ENABLE ROW LEVEL SECURITY; ALTER TABLE public.ak_marketing_lotteries ENABLE ROW LEVEL SECURITY; -- 1. 秒杀活动:公开只读 DROP POLICY IF EXISTS seckill_select_policy ON public.ak_seckill_activities; CREATE POLICY seckill_select_policy ON public.ak_seckill_activities FOR SELECT TO anon, authenticated USING (status = true); -- 2. 拼团活动:公开只读 DROP POLICY IF EXISTS combination_select_policy ON public.ak_combination_activities; CREATE POLICY combination_select_policy ON public.ak_combination_activities FOR SELECT TO anon, authenticated USING (status = 'ongoing'); -- 3. 砍价活动:公开只读 DROP POLICY IF EXISTS bargain_select_policy ON public.ak_marketing_bargains; CREATE POLICY bargain_select_policy ON public.ak_marketing_bargains FOR SELECT TO anon, authenticated USING (status = true); -- 4. 团购活动:公开只读 DROP POLICY IF EXISTS groupbuy_select_policy ON public.ak_marketing_groupbuys; CREATE POLICY groupbuy_select_policy ON public.ak_marketing_groupbuys FOR SELECT TO anon, authenticated USING (status = true); -- 5. 抽奖活动:公开只读 DROP POLICY IF EXISTS lottery_select_policy ON public.ak_marketing_lotteries; CREATE POLICY lottery_select_policy ON public.ak_marketing_lotteries FOR SELECT TO anon, authenticated USING (is_open = true); -- 管理端全量管理将由 SECURITY DEFINER 的 RPC 接口执行 -- ===================================================================================== -- RLS: 营销模块其他业务表安全策略 (互动/会员/直播/充值) -- 位置:docs/sql/20_rls/marketing/ml_marketing_others_rls_v1.sql -- 对象类型:RLS 策略 -- 版本:v1 -- 说明:配置类公开只读;记录类用户隔离;管理端由 RPC 承载 -- ===================================================================================== -- 启用 RLS ALTER TABLE public.ak_signin_configs ENABLE ROW LEVEL SECURITY; ALTER TABLE public.ak_marketing_signin_logs ENABLE ROW LEVEL SECURITY; ALTER TABLE public.ak_marketing_newcomer_config ENABLE ROW LEVEL SECURITY; ALTER TABLE public.ak_marketing_member_types ENABLE ROW LEVEL SECURITY; ALTER TABLE public.ak_marketing_member_rights ENABLE ROW LEVEL SECURITY; ALTER TABLE public.ak_marketing_member_config ENABLE ROW LEVEL SECURITY; ALTER TABLE public.ak_marketing_live_anchors ENABLE ROW LEVEL SECURITY; ALTER TABLE public.ak_marketing_live_rooms ENABLE ROW LEVEL SECURITY; ALTER TABLE public.ak_recharge_configs ENABLE ROW LEVEL SECURITY; ALTER TABLE public.ak_recharge_quotas ENABLE ROW LEVEL SECURITY; -- 1. 签到与新人礼配置:公开只读 DROP POLICY IF EXISTS signin_config_select_policy ON public.ak_signin_configs; CREATE POLICY signin_config_select_policy ON public.ak_signin_configs FOR SELECT TO authenticated USING (true); DROP POLICY IF EXISTS newcomer_config_select_policy ON public.ak_marketing_newcomer_config; CREATE POLICY newcomer_config_select_policy ON public.ak_marketing_newcomer_config FOR SELECT TO authenticated USING (true); -- 2. 签到日志:用户仅能查看自己的 DROP POLICY IF EXISTS signin_logs_user_policy ON public.ak_marketing_signin_logs; CREATE POLICY signin_logs_user_policy ON public.ak_marketing_signin_logs FOR SELECT TO authenticated USING (uid = auth.uid()); -- 3. 会员体系:类型与权益公开只读 DROP POLICY IF EXISTS member_types_select_policy ON public.ak_marketing_member_types; CREATE POLICY member_types_select_policy ON public.ak_marketing_member_types FOR SELECT TO authenticated USING (is_open = true); DROP POLICY IF EXISTS member_rights_select_policy ON public.ak_marketing_member_rights; CREATE POLICY member_rights_select_policy ON public.ak_marketing_member_rights FOR SELECT TO authenticated USING (is_show = true); DROP POLICY IF EXISTS member_config_select_policy ON public.ak_marketing_member_config; CREATE POLICY member_config_select_policy ON public.ak_marketing_member_config FOR SELECT TO authenticated USING (is_enabled = true); -- 4. 直播:公开只读 DROP POLICY IF EXISTS live_anchors_select_policy ON public.ak_marketing_live_anchors; CREATE POLICY live_anchors_select_policy ON public.ak_marketing_live_anchors FOR SELECT TO authenticated USING (status = true); DROP POLICY IF EXISTS live_rooms_select_policy ON public.ak_marketing_live_rooms; CREATE POLICY live_rooms_select_policy ON public.ak_marketing_live_rooms FOR SELECT TO authenticated USING (is_show = true); -- 5. 充值配置:公开只读 DROP POLICY IF EXISTS recharge_config_select_policy ON public.ak_recharge_configs; CREATE POLICY recharge_config_select_policy ON public.ak_recharge_configs FOR SELECT TO authenticated USING (balance_enabled = true); DROP POLICY IF EXISTS recharge_quotas_select_policy ON public.ak_recharge_quotas; CREATE POLICY recharge_quotas_select_policy ON public.ak_recharge_quotas FOR SELECT TO authenticated USING (is_open = true); -- 管理端全量管理均通过 SECURITY DEFINER 的 RPC 接口执行 -- RLS: 医疗商城独立分类与商品分类关联 -- 执行阶段: 20_rls ALTER TABLE public.medical_mall_categories ENABLE ROW LEVEL SECURITY; ALTER TABLE public.medical_mall_product_categories ENABLE ROW LEVEL SECURITY; DROP POLICY IF EXISTS medical_mall_categories_public_select_active ON public.medical_mall_categories; CREATE POLICY medical_mall_categories_public_select_active ON public.medical_mall_categories FOR SELECT TO anon, authenticated USING ( deleted_at IS NULL AND is_active = TRUE AND compliance_type <> 'rx_hidden' ); DROP POLICY IF EXISTS medical_mall_product_categories_public_select_active ON public.medical_mall_product_categories; CREATE POLICY medical_mall_product_categories_public_select_active ON public.medical_mall_product_categories FOR SELECT TO anon, authenticated USING (deleted_at IS NULL);-- ===================================================================================== -- RLS: 用户分组表 -- 位置:docs/sql/20_rls/user/ak_user_groups_rls_v1.sql -- 对象类型:RLS 策略 -- 版本:v1 -- 说明:管理端全量访问通过 RPC 完成;消费者端默认不开放直接访问 -- ===================================================================================== ALTER TABLE public.ak_user_groups ENABLE ROW LEVEL SECURITY; -- 如果未来消费者端需要展示所在分组,可以在此添加对应的 SELECT 策略 -- 目前默认不向普通用户开放任何直接 SQL 读写权限 -- ===================================================================================== -- RLS: 用户标签表 -- 位置:docs/sql/20_rls/user/ak_user_labels_rls_v1.sql -- 对象类型:RLS 策略 -- 版本:v1 -- 说明:管理端全量访问通过 RPC 完成;消费者端默认不开放直接访问 -- ===================================================================================== ALTER TABLE public.ak_user_labels ENABLE ROW LEVEL SECURITY; -- 若后续消费者端需要展示标签,可在此添加 SELECT 策略 -- 当前默认不向普通用户开放任何直接 SQL 读写权限 -- ===================================================================================== -- RLS: 用户等级表 -- 位置:docs/sql/20_rls/user/ -- 对象类型:RLS 策略 -- 版本:v1 -- 说明:消费者端可读(仅可见/启用/未删除);管理端全量访问通过 RPC 完成 -- ===================================================================================== ALTER TABLE public.ak_user_levels ENABLE ROW LEVEL SECURITY; -- 消费者端:允许读取可见且启用的等级(未删除) DROP POLICY IF EXISTS ak_user_levels_public_select_visible_active ON public.ak_user_levels; CREATE POLICY ak_user_levels_public_select_visible_active ON public.ak_user_levels FOR SELECT TO anon, authenticated USING ( deleted_at IS NULL AND status = 1 AND is_visible = TRUE ); -- 默认不开放写权限(INSERT/UPDATE/DELETE)给 anon/authenticated