64 lines
2.0 KiB
SQL
64 lines
2.0 KiB
SQL
-- =====================================================================================
|
||
-- RLS: 医养执行端 Delivery 安全策略升级
|
||
-- 位置:docs/sql/20_rls/delivery/ak_delivery_rls_v2.sql
|
||
-- 对象类型:RLS 策略
|
||
-- 版本:v2
|
||
-- 说明:保留管理端通过 SECURITY DEFINER RPC 管理,补充执行人员本人直读自己档案。
|
||
-- =====================================================================================
|
||
|
||
ALTER TABLE public.ml_delivery_staff ENABLE ROW LEVEL SECURITY;
|
||
ALTER TABLE public.ml_delivery_stations ENABLE ROW LEVEL SECURITY;
|
||
|
||
-- 清理旧策略
|
||
DROP POLICY IF EXISTS delivery_staff_self_select ON public.ml_delivery_staff;
|
||
DROP POLICY IF EXISTS delivery_staff_self_update ON public.ml_delivery_staff;
|
||
DROP POLICY IF EXISTS delivery_stations_select_active ON public.ml_delivery_stations;
|
||
|
||
-- 1. 执行人员本人可直读自己的未删除档案
|
||
CREATE POLICY delivery_staff_self_select
|
||
ON public.ml_delivery_staff
|
||
FOR SELECT
|
||
TO authenticated
|
||
USING (
|
||
deleted_at IS NULL
|
||
AND EXISTS (
|
||
SELECT 1
|
||
FROM public.ak_users u
|
||
WHERE u.id = ml_delivery_staff.uid
|
||
AND u.auth_id = auth.uid()
|
||
)
|
||
);
|
||
|
||
-- 2. 执行人员本人可更新自己的在线状态等自有档案字段
|
||
CREATE POLICY delivery_staff_self_update
|
||
ON public.ml_delivery_staff
|
||
FOR UPDATE
|
||
TO authenticated
|
||
USING (
|
||
deleted_at IS NULL
|
||
AND EXISTS (
|
||
SELECT 1
|
||
FROM public.ak_users u
|
||
WHERE u.id = ml_delivery_staff.uid
|
||
AND u.auth_id = auth.uid()
|
||
)
|
||
)
|
||
WITH CHECK (
|
||
deleted_at IS NULL
|
||
AND EXISTS (
|
||
SELECT 1
|
||
FROM public.ak_users u
|
||
WHERE u.id = ml_delivery_staff.uid
|
||
AND u.auth_id = auth.uid()
|
||
)
|
||
);
|
||
|
||
-- 3. 提货点/机构对前台保持只读,仅返回启用且未删除数据
|
||
CREATE POLICY delivery_stations_select_active
|
||
ON public.ml_delivery_stations
|
||
FOR SELECT
|
||
TO anon, authenticated
|
||
USING (status = 1 AND deleted_at IS NULL);
|
||
|
||
-- 4. 其余直连写操作默认不开放,管理端统一走 SECURITY DEFINER RPC
|