529 lines
24 KiB
SQL
529 lines
24 KiB
SQL
-- =====================================================================================
|
||
-- RLS: 系统配置表安全策略
|
||
-- 位置:docs/sql/20_rls/admin/ml_system_configs_rls_v1.sql
|
||
-- 对象类型:RLS 策略
|
||
-- 版本:v1
|
||
-- 说明:允许所有登录用户读取配置;管理端全量操作通过 RPC (SECURITY DEFINER) 执行
|
||
-- =====================================================================================
|
||
|
||
-- 启用 RLS
|
||
ALTER TABLE public.ml_system_configs ENABLE ROW LEVEL SECURITY;
|
||
|
||
-- 1. 允许所有登录用户读取配置 (用于前端业务逻辑判断)
|
||
DROP POLICY IF EXISTS system_configs_select_policy ON public.ml_system_configs;
|
||
CREATE POLICY system_configs_select_policy ON public.ml_system_configs
|
||
FOR SELECT TO authenticated USING (deleted_at IS NULL);
|
||
|
||
-- 管理端全量管理将通过 SECURITY DEFINER 的 RPC 接口执行,此处不再额外开放直接表操作
|
||
-- =====================================================================================
|
||
-- RLS: 权限管理 (Auth) 安全策略
|
||
-- 位置:docs/sql/20_rls/auth/ak_auth_rls_v1.sql
|
||
-- 对象类型:RLS 策略
|
||
-- 版本:v1
|
||
-- 说明:角色与权限表默认不对外开放,全量管理通过 SECURITY DEFINER RPC 执行
|
||
-- =====================================================================================
|
||
|
||
-- 启用 RLS
|
||
ALTER TABLE public.ak_roles ENABLE ROW LEVEL SECURITY;
|
||
ALTER TABLE public.ak_permissions ENABLE ROW LEVEL SECURITY;
|
||
ALTER TABLE public.ak_admin_roles ENABLE ROW LEVEL SECURITY;
|
||
ALTER TABLE public.ak_role_permissions ENABLE ROW LEVEL SECURITY;
|
||
|
||
-- 默认策略:NO DIRECT ACCESS
|
||
-- 所有的查询和修改均建议通过 docs/sql/30_rpc/auth/ 下的专用管理接口完成
|
||
-- 这样可以确保鉴权逻辑与 ak_users.role 强制绑定,且具备审计能力
|
||
-- =====================================================================================
|
||
-- RLS: 内容管理模块安全策略
|
||
-- 位置:docs/sql/20_rls/cms/ml_cms_rls_v1.sql
|
||
-- 对象类型:RLS 策略
|
||
-- 版本:v1
|
||
-- 说明:消费者端可读(仅已发布/启用);管理端通过 RPC 访问
|
||
-- =====================================================================================
|
||
|
||
-- 1. 开启 RLS
|
||
ALTER TABLE public.ml_article_categories ENABLE ROW LEVEL SECURITY;
|
||
ALTER TABLE public.ml_articles ENABLE ROW LEVEL SECURITY;
|
||
|
||
-- 2. 分类表策略:允许所有人读取启用的分类
|
||
DROP POLICY IF EXISTS ml_article_categories_select_active ON public.ml_article_categories;
|
||
CREATE POLICY ml_article_categories_select_active
|
||
ON public.ml_article_categories
|
||
FOR SELECT
|
||
TO anon, authenticated
|
||
USING (status = 1 AND deleted_at IS NULL);
|
||
|
||
-- 3. 文章表策略:允许所有人读取已发布的文章
|
||
DROP POLICY IF EXISTS ml_articles_select_published ON public.ml_articles;
|
||
CREATE POLICY ml_articles_select_published
|
||
ON public.ml_articles
|
||
FOR SELECT
|
||
TO anon, authenticated
|
||
USING (status = 1 AND deleted_at IS NULL);
|
||
|
||
-- 默认不开放 INSERT/UPDATE/DELETE 给普通用户,管理端操作通过 RPC (SECURITY DEFINER) 执行
|
||
-- =====================================================================================
|
||
-- RLS: 装修模块 - DIY 页面安全策略
|
||
-- 位置:docs/sql/20_rls/decoration/ml_decoration_rls_v1.sql
|
||
-- 对象类型:RLS 策略
|
||
-- 版本:v1
|
||
-- 说明:消费者端公开只读已发布的页面;管理端通过 SECURITY DEFINER RPC 进行管理
|
||
-- =====================================================================================
|
||
|
||
-- 1. 启用 RLS
|
||
ALTER TABLE public.ak_diy_pages ENABLE ROW LEVEL SECURITY;
|
||
|
||
-- 2. 消费者端策略:允许匿名和登录用户读取已启用的页面
|
||
DROP POLICY IF EXISTS diy_pages_select_active ON public.ak_diy_pages;
|
||
CREATE POLICY diy_pages_select_active ON public.ak_diy_pages
|
||
FOR SELECT TO anon, authenticated
|
||
USING (is_active = true AND deleted_at IS NULL);
|
||
|
||
-- 管理端全量管理将通过 SECURITY DEFINER 的 RPC 接口执行,此处不再额外开放直接表操作
|
||
-- =====================================================================================
|
||
-- RLS: 物流设置 (Delivery) 安全策略
|
||
-- 位置:docs/sql/20_rls/delivery/ak_delivery_rls_v1.sql
|
||
-- 对象类型:RLS 策略
|
||
-- 版本:v1
|
||
-- 说明:配送员表管理端私有;提货点表消费者端只读
|
||
-- =====================================================================================
|
||
|
||
-- 启用 RLS
|
||
ALTER TABLE public.ml_delivery_staff ENABLE ROW LEVEL SECURITY;
|
||
ALTER TABLE public.ml_delivery_stations ENABLE ROW LEVEL SECURITY;
|
||
|
||
-- 1. 配送员表策略:默认不开放直接访问
|
||
-- 全量管理通过 docs/sql/30_rpc/delivery/ 下的 RPC 执行
|
||
|
||
-- 2. 提货点表策略:允许消费者端只读(用于地图展示和下单选择)
|
||
DROP POLICY IF EXISTS delivery_stations_select_active ON public.ml_delivery_stations;
|
||
CREATE POLICY delivery_stations_select_active
|
||
ON public.ml_delivery_stations
|
||
FOR SELECT
|
||
TO anon, authenticated
|
||
USING (status = 1 AND deleted_at IS NULL);
|
||
|
||
-- 管理端全量管理将通过 SECURITY DEFINER 的 RPC 接口执行
|
||
-- =====================================================================================
|
||
-- RLS: 医养执行端 Delivery 安全策略升级
|
||
-- 位置:docs/sql/20_rls/delivery/ak_delivery_rls_v2.sql
|
||
-- 对象类型:RLS 策略
|
||
-- 版本:v2
|
||
-- 说明:保留管理端通过 SECURITY DEFINER RPC 管理,补充执行人员本人直读自己档案。
|
||
-- =====================================================================================
|
||
|
||
ALTER TABLE public.ml_delivery_staff ENABLE ROW LEVEL SECURITY;
|
||
ALTER TABLE public.ml_delivery_stations ENABLE ROW LEVEL SECURITY;
|
||
|
||
-- 清理旧策略
|
||
DROP POLICY IF EXISTS delivery_staff_self_select ON public.ml_delivery_staff;
|
||
DROP POLICY IF EXISTS delivery_staff_self_update ON public.ml_delivery_staff;
|
||
DROP POLICY IF EXISTS delivery_stations_select_active ON public.ml_delivery_stations;
|
||
|
||
-- 1. 执行人员本人可直读自己的未删除档案
|
||
CREATE POLICY delivery_staff_self_select
|
||
ON public.ml_delivery_staff
|
||
FOR SELECT
|
||
TO authenticated
|
||
USING (
|
||
deleted_at IS NULL
|
||
AND EXISTS (
|
||
SELECT 1
|
||
FROM public.ak_users u
|
||
WHERE u.id = ml_delivery_staff.uid
|
||
AND u.auth_id = auth.uid()
|
||
)
|
||
);
|
||
|
||
-- 2. 执行人员本人可更新自己的在线状态等自有档案字段
|
||
CREATE POLICY delivery_staff_self_update
|
||
ON public.ml_delivery_staff
|
||
FOR UPDATE
|
||
TO authenticated
|
||
USING (
|
||
deleted_at IS NULL
|
||
AND EXISTS (
|
||
SELECT 1
|
||
FROM public.ak_users u
|
||
WHERE u.id = ml_delivery_staff.uid
|
||
AND u.auth_id = auth.uid()
|
||
)
|
||
)
|
||
WITH CHECK (
|
||
deleted_at IS NULL
|
||
AND EXISTS (
|
||
SELECT 1
|
||
FROM public.ak_users u
|
||
WHERE u.id = ml_delivery_staff.uid
|
||
AND u.auth_id = auth.uid()
|
||
)
|
||
);
|
||
|
||
-- 3. 提货点/机构对前台保持只读,仅返回启用且未删除数据
|
||
CREATE POLICY delivery_stations_select_active
|
||
ON public.ml_delivery_stations
|
||
FOR SELECT
|
||
TO anon, authenticated
|
||
USING (status = 1 AND deleted_at IS NULL);
|
||
|
||
-- 4. 派单候选人读取统一走 SECURITY DEFINER RPC,不再开放公开可派单列表 RLS
|
||
-- 5. 其余直连写操作默认不开放,管理端统一走 SECURITY DEFINER RPC
|
||
-- =====================================================================================
|
||
-- RLS: 分销模块安全策略
|
||
-- 位置:docs/sql/20_rls/distribution/ml_distribution_rls_v1.sql
|
||
-- 对象类型:RLS 策略
|
||
-- 版本:v1
|
||
-- 说明:管理端全量权限通过 SECURITY DEFINER RPC 执行;用户仅能访问个人关联数据
|
||
-- =====================================================================================
|
||
|
||
-- 启用 RLS
|
||
ALTER TABLE public.ak_distribution_config ENABLE ROW LEVEL SECURITY;
|
||
ALTER TABLE public.ak_distribution_level ENABLE ROW LEVEL SECURITY;
|
||
ALTER TABLE public.ak_promoter_relations ENABLE ROW LEVEL SECURITY;
|
||
ALTER TABLE public.ak_commission_logs ENABLE ROW LEVEL SECURITY;
|
||
ALTER TABLE public.ak_distribution_divisions ENABLE ROW LEVEL SECURITY;
|
||
ALTER TABLE public.ak_distribution_agents ENABLE ROW LEVEL SECURITY;
|
||
ALTER TABLE public.ak_distribution_agent_applications ENABLE ROW LEVEL SECURITY;
|
||
|
||
-- 1. 分销配置:允许所有登录用户读取(消费者端展示逻辑需要)
|
||
DROP POLICY IF EXISTS dist_config_select_policy ON public.ak_distribution_config;
|
||
CREATE POLICY dist_config_select_policy ON public.ak_distribution_config
|
||
FOR SELECT TO authenticated USING (deleted_at IS NULL);
|
||
|
||
-- 2. 分销等级:允许所有登录用户读取可见等级
|
||
DROP POLICY IF EXISTS dist_level_select_policy ON public.ak_distribution_level;
|
||
CREATE POLICY dist_level_select_policy ON public.ak_distribution_level
|
||
FOR SELECT TO authenticated USING (is_visible = true AND deleted_at IS NULL);
|
||
|
||
-- 3. 推广员关系:用户仅能查看与自己相关的记录
|
||
DROP POLICY IF EXISTS promoter_relations_select_policy ON public.ak_promoter_relations;
|
||
CREATE POLICY promoter_relations_select_policy ON public.ak_promoter_relations
|
||
FOR SELECT TO authenticated USING ((uid = auth.uid() OR inviter_uid = auth.uid()) AND deleted_at IS NULL);
|
||
|
||
-- 4. 佣金日志:用户仅能查看自己的佣金记录
|
||
DROP POLICY IF EXISTS commission_logs_select_policy ON public.ak_commission_logs;
|
||
CREATE POLICY commission_logs_select_policy ON public.ak_commission_logs
|
||
FOR SELECT TO authenticated USING (uid = auth.uid() AND deleted_at IS NULL);
|
||
|
||
-- 5. 事业部与代理商:允许登录用户查看启用的记录
|
||
DROP POLICY IF EXISTS dist_divisions_select_policy ON public.ak_distribution_divisions;
|
||
CREATE POLICY dist_divisions_select_policy ON public.ak_distribution_divisions
|
||
FOR SELECT TO authenticated USING (is_enabled = true AND deleted_at IS NULL);
|
||
|
||
DROP POLICY IF EXISTS dist_agents_select_policy ON public.ak_distribution_agents;
|
||
CREATE POLICY dist_agents_select_policy ON public.ak_distribution_agents
|
||
FOR SELECT TO authenticated USING (is_enabled = true AND deleted_at IS NULL);
|
||
|
||
-- 6. 代理商申请:用户仅能管理自己的申请记录
|
||
DROP POLICY IF EXISTS dist_apply_user_policy ON public.ak_distribution_agent_applications;
|
||
CREATE POLICY dist_apply_user_policy ON public.ak_distribution_agent_applications
|
||
FOR ALL TO authenticated USING (uid = auth.uid() AND deleted_at IS NULL) WITH CHECK (uid = auth.uid());
|
||
|
||
-- 管理端全量管理将通过 SECURITY DEFINER 的 RPC 接口执行,此处不再额外开放直接表操作
|
||
-- =====================================================================================
|
||
-- RLS: 用户提现申请表
|
||
-- 位置:docs/sql/20_rls/finance/
|
||
-- 对象类型:RLS 策略
|
||
-- 版本:v1
|
||
-- 说明:仅允许用户查看自己的提现记录;管理端通过 RPC 访问
|
||
-- =====================================================================================
|
||
|
||
ALTER TABLE public.ml_extract ENABLE ROW LEVEL SECURITY;
|
||
|
||
-- 策略 1: 允许用户读取自己的提现申请
|
||
DROP POLICY IF EXISTS ml_extract_user_select ON public.ml_extract;
|
||
CREATE POLICY ml_extract_user_select
|
||
ON public.ml_extract
|
||
FOR SELECT
|
||
TO authenticated
|
||
USING (uid = auth.uid() AND deleted_at IS NULL);
|
||
|
||
-- 默认不开放 INSERT/UPDATE/DELETE 给普通用户
|
||
-- 提现申请通常由特定的 RPC 函数 (security definer) 创建,以确保业务逻辑(如冻结余额)的原子性
|
||
-- =====================================================================================
|
||
-- RLS: 发票管理表
|
||
-- 位置:docs/sql/20_rls/finance/ml_invoices_rls_v1.sql
|
||
-- 对象类型:RLS 策略
|
||
-- 版本:v1
|
||
-- 说明:用户仅能查看自己的开票申请;管理端通过 RPC 访问
|
||
-- =====================================================================================
|
||
|
||
ALTER TABLE public.ml_invoices ENABLE ROW LEVEL SECURITY;
|
||
|
||
-- 策略 1: 允许用户读取自己的记录(仅未删除数据)
|
||
DROP POLICY IF EXISTS ml_invoices_user_select ON public.ml_invoices;
|
||
CREATE POLICY ml_invoices_user_select
|
||
ON public.ml_invoices
|
||
FOR SELECT
|
||
TO authenticated
|
||
USING (uid = auth.uid() AND deleted_at IS NULL);
|
||
|
||
-- 默认不开放 INSERT/UPDATE/DELETE 给普通用户,通常由 RPC 或支付后逻辑触发
|
||
-- =====================================================================================
|
||
-- RLS: 用户资金流水表
|
||
-- 位置:docs/sql/20_rls/finance/
|
||
-- 对象类型:RLS 策略
|
||
-- 版本:v1
|
||
-- 说明:仅允许用户查看自己的流水记录;管理端通过 RPC 访问
|
||
-- =====================================================================================
|
||
|
||
ALTER TABLE public.ml_user_bill ENABLE ROW LEVEL SECURITY;
|
||
|
||
-- 策略 1: 允许用户读取自己的记录(仅未删除数据)
|
||
DROP POLICY IF EXISTS ml_user_bill_user_select ON public.ml_user_bill;
|
||
CREATE POLICY ml_user_bill_user_select
|
||
ON public.ml_user_bill
|
||
FOR SELECT
|
||
TO authenticated
|
||
USING (uid = auth.uid() AND deleted_at IS NULL);
|
||
|
||
-- 默认不开放 INSERT/UPDATE/DELETE 给普通用户,由后端逻辑或 RPC 触发
|
||
-- =====================================================================================
|
||
-- RLS: 用户充值记录表
|
||
-- 位置:docs/sql/20_rls/finance/
|
||
-- 对象类型:RLS 策略
|
||
-- 版本:v1
|
||
-- 说明:仅允许用户查看自己的充值记录;管理端通过 RPC 访问
|
||
-- =====================================================================================
|
||
|
||
ALTER TABLE public.ml_user_recharge ENABLE ROW LEVEL SECURITY;
|
||
|
||
-- 策略 1: 允许用户读取自己的记录(仅未删除数据)
|
||
DROP POLICY IF EXISTS ml_user_recharge_user_select ON public.ml_user_recharge;
|
||
CREATE POLICY ml_user_recharge_user_select
|
||
ON public.ml_user_recharge
|
||
FOR SELECT
|
||
TO authenticated
|
||
USING (uid = auth.uid() AND deleted_at IS NULL);
|
||
|
||
-- 默认不开放 INSERT/UPDATE/DELETE 给普通用户,写操作通常由业务逻辑或支付回调触发
|
||
-- =====================================================================================
|
||
-- RLS: 客服模块安全策略
|
||
-- 位置:docs/sql/20_rls/kefu/ml_kefu_rls_v1.sql
|
||
-- 对象类型:RLS 策略
|
||
-- 版本:v1
|
||
-- 说明:管理端全量访问通过 RPC 完成;用户仅能操作自己的留言反馈
|
||
-- =====================================================================================
|
||
|
||
-- 开启所有表的 RLS
|
||
ALTER TABLE public.ml_kefu_accounts ENABLE ROW LEVEL SECURITY;
|
||
ALTER TABLE public.ml_kefu_word_categories ENABLE ROW LEVEL SECURITY;
|
||
ALTER TABLE public.ml_kefu_words ENABLE ROW LEVEL SECURITY;
|
||
ALTER TABLE public.ml_kefu_feedbacks ENABLE ROW LEVEL SECURITY;
|
||
ALTER TABLE public.ml_kefu_auto_replies ENABLE ROW LEVEL SECURITY;
|
||
|
||
-- 1. 留言反馈表策略
|
||
-- 允许登录用户插入自己的留言
|
||
DROP POLICY IF EXISTS ml_kefu_feedbacks_user_insert ON public.ml_kefu_feedbacks;
|
||
CREATE POLICY ml_kefu_feedbacks_user_insert
|
||
ON public.ml_kefu_feedbacks
|
||
FOR INSERT
|
||
TO authenticated
|
||
WITH CHECK (user_id = auth.uid());
|
||
|
||
-- 允许用户查看自己的留言
|
||
DROP POLICY IF EXISTS ml_kefu_feedbacks_user_select ON public.ml_kefu_feedbacks;
|
||
CREATE POLICY ml_kefu_feedbacks_user_select
|
||
ON public.ml_kefu_feedbacks
|
||
FOR SELECT
|
||
TO authenticated
|
||
USING (user_id = auth.uid());
|
||
|
||
-- 其他表(账号、话术、自动回复)默认不向 anon/authenticated 角色开放 SELECT/INSERT/UPDATE/DELETE
|
||
-- 管理端全量管理将通过 SECURITY DEFINER 的 RPC 函数执行
|
||
-- =====================================================================================
|
||
-- RLS Policy: 优惠券模板表权限控制
|
||
-- 位置:docs/sql/20_rls/marketing/ml_coupon_templates_rls_v1.sql
|
||
-- 说明:确保商家仅能管理自己的优惠券模板,管理员拥有全权限。
|
||
-- =====================================================================================
|
||
|
||
-- 1. 启用 RLS
|
||
ALTER TABLE public.ml_coupon_templates ENABLE ROW LEVEL SECURITY;
|
||
|
||
-- 2. 创建权限策略
|
||
-- 允许商家管理自己的模板
|
||
CREATE POLICY ml_coupon_templates_merchant_policy ON public.ml_coupon_templates
|
||
FOR ALL
|
||
TO authenticated
|
||
USING (
|
||
merchant_id = auth.uid() OR
|
||
EXISTS (
|
||
SELECT 1 FROM public.ak_users
|
||
WHERE id = auth.uid() AND role = 'admin'
|
||
)
|
||
)
|
||
WITH CHECK (
|
||
merchant_id = auth.uid() OR
|
||
EXISTS (
|
||
SELECT 1 FROM public.ak_users
|
||
WHERE id = auth.uid() AND role = 'admin'
|
||
)
|
||
);
|
||
|
||
-- 允许所有认证用户查看模板(用于前台领取)
|
||
CREATE POLICY ml_coupon_templates_select_policy ON public.ml_coupon_templates
|
||
FOR SELECT
|
||
TO authenticated
|
||
USING (status = 1);
|
||
-- =====================================================================================
|
||
-- RLS: 营销核心活动表安全策略
|
||
-- 位置:docs/sql/20_rls/marketing/ml_marketing_activities_rls_v1.sql
|
||
-- 对象类型:RLS 策略
|
||
-- 版本:v1
|
||
-- 说明:消费者端公开只读;管理端操作由 RPC (SECURITY DEFINER) 承载
|
||
-- =====================================================================================
|
||
|
||
-- 启用 RLS
|
||
ALTER TABLE public.ak_seckill_activities ENABLE ROW LEVEL SECURITY;
|
||
ALTER TABLE public.ak_combination_activities ENABLE ROW LEVEL SECURITY;
|
||
ALTER TABLE public.ak_marketing_bargains ENABLE ROW LEVEL SECURITY;
|
||
ALTER TABLE public.ak_marketing_groupbuys ENABLE ROW LEVEL SECURITY;
|
||
ALTER TABLE public.ak_marketing_lotteries ENABLE ROW LEVEL SECURITY;
|
||
|
||
-- 1. 秒杀活动:公开只读
|
||
DROP POLICY IF EXISTS seckill_select_policy ON public.ak_seckill_activities;
|
||
CREATE POLICY seckill_select_policy ON public.ak_seckill_activities FOR SELECT TO anon, authenticated USING (status = true);
|
||
|
||
-- 2. 拼团活动:公开只读
|
||
DROP POLICY IF EXISTS combination_select_policy ON public.ak_combination_activities;
|
||
CREATE POLICY combination_select_policy ON public.ak_combination_activities FOR SELECT TO anon, authenticated USING (status = 'ongoing');
|
||
|
||
-- 3. 砍价活动:公开只读
|
||
DROP POLICY IF EXISTS bargain_select_policy ON public.ak_marketing_bargains;
|
||
CREATE POLICY bargain_select_policy ON public.ak_marketing_bargains FOR SELECT TO anon, authenticated USING (status = true);
|
||
|
||
-- 4. 团购活动:公开只读
|
||
DROP POLICY IF EXISTS groupbuy_select_policy ON public.ak_marketing_groupbuys;
|
||
CREATE POLICY groupbuy_select_policy ON public.ak_marketing_groupbuys FOR SELECT TO anon, authenticated USING (status = true);
|
||
|
||
-- 5. 抽奖活动:公开只读
|
||
DROP POLICY IF EXISTS lottery_select_policy ON public.ak_marketing_lotteries;
|
||
CREATE POLICY lottery_select_policy ON public.ak_marketing_lotteries FOR SELECT TO anon, authenticated USING (is_open = true);
|
||
|
||
-- 管理端全量管理将由 SECURITY DEFINER 的 RPC 接口执行
|
||
-- =====================================================================================
|
||
-- RLS: 营销模块其他业务表安全策略 (互动/会员/直播/充值)
|
||
-- 位置:docs/sql/20_rls/marketing/ml_marketing_others_rls_v1.sql
|
||
-- 对象类型:RLS 策略
|
||
-- 版本:v1
|
||
-- 说明:配置类公开只读;记录类用户隔离;管理端由 RPC 承载
|
||
-- =====================================================================================
|
||
|
||
-- 启用 RLS
|
||
ALTER TABLE public.ak_signin_configs ENABLE ROW LEVEL SECURITY;
|
||
ALTER TABLE public.ak_marketing_signin_logs ENABLE ROW LEVEL SECURITY;
|
||
ALTER TABLE public.ak_marketing_newcomer_config ENABLE ROW LEVEL SECURITY;
|
||
ALTER TABLE public.ak_marketing_member_types ENABLE ROW LEVEL SECURITY;
|
||
ALTER TABLE public.ak_marketing_member_rights ENABLE ROW LEVEL SECURITY;
|
||
ALTER TABLE public.ak_marketing_member_config ENABLE ROW LEVEL SECURITY;
|
||
ALTER TABLE public.ak_marketing_live_anchors ENABLE ROW LEVEL SECURITY;
|
||
ALTER TABLE public.ak_marketing_live_rooms ENABLE ROW LEVEL SECURITY;
|
||
ALTER TABLE public.ak_recharge_configs ENABLE ROW LEVEL SECURITY;
|
||
ALTER TABLE public.ak_recharge_quotas ENABLE ROW LEVEL SECURITY;
|
||
|
||
-- 1. 签到与新人礼配置:公开只读
|
||
DROP POLICY IF EXISTS signin_config_select_policy ON public.ak_signin_configs;
|
||
CREATE POLICY signin_config_select_policy ON public.ak_signin_configs FOR SELECT TO authenticated USING (true);
|
||
|
||
DROP POLICY IF EXISTS newcomer_config_select_policy ON public.ak_marketing_newcomer_config;
|
||
CREATE POLICY newcomer_config_select_policy ON public.ak_marketing_newcomer_config FOR SELECT TO authenticated USING (true);
|
||
|
||
-- 2. 签到日志:用户仅能查看自己的
|
||
DROP POLICY IF EXISTS signin_logs_user_policy ON public.ak_marketing_signin_logs;
|
||
CREATE POLICY signin_logs_user_policy ON public.ak_marketing_signin_logs
|
||
FOR SELECT TO authenticated USING (uid = auth.uid());
|
||
|
||
-- 3. 会员体系:类型与权益公开只读
|
||
DROP POLICY IF EXISTS member_types_select_policy ON public.ak_marketing_member_types;
|
||
CREATE POLICY member_types_select_policy ON public.ak_marketing_member_types FOR SELECT TO authenticated USING (is_open = true);
|
||
|
||
DROP POLICY IF EXISTS member_rights_select_policy ON public.ak_marketing_member_rights;
|
||
CREATE POLICY member_rights_select_policy ON public.ak_marketing_member_rights FOR SELECT TO authenticated USING (is_show = true);
|
||
|
||
DROP POLICY IF EXISTS member_config_select_policy ON public.ak_marketing_member_config;
|
||
CREATE POLICY member_config_select_policy ON public.ak_marketing_member_config FOR SELECT TO authenticated USING (is_enabled = true);
|
||
|
||
-- 4. 直播:公开只读
|
||
DROP POLICY IF EXISTS live_anchors_select_policy ON public.ak_marketing_live_anchors;
|
||
CREATE POLICY live_anchors_select_policy ON public.ak_marketing_live_anchors FOR SELECT TO authenticated USING (status = true);
|
||
|
||
DROP POLICY IF EXISTS live_rooms_select_policy ON public.ak_marketing_live_rooms;
|
||
CREATE POLICY live_rooms_select_policy ON public.ak_marketing_live_rooms FOR SELECT TO authenticated USING (is_show = true);
|
||
|
||
-- 5. 充值配置:公开只读
|
||
DROP POLICY IF EXISTS recharge_config_select_policy ON public.ak_recharge_configs;
|
||
CREATE POLICY recharge_config_select_policy ON public.ak_recharge_configs FOR SELECT TO authenticated USING (balance_enabled = true);
|
||
|
||
DROP POLICY IF EXISTS recharge_quotas_select_policy ON public.ak_recharge_quotas;
|
||
CREATE POLICY recharge_quotas_select_policy ON public.ak_recharge_quotas FOR SELECT TO authenticated USING (is_open = true);
|
||
|
||
-- 管理端全量管理均通过 SECURITY DEFINER 的 RPC 接口执行
|
||
-- RLS: 医疗商城独立分类与商品分类关联
|
||
-- 执行阶段: 20_rls
|
||
|
||
ALTER TABLE public.medical_mall_categories ENABLE ROW LEVEL SECURITY;
|
||
ALTER TABLE public.medical_mall_product_categories ENABLE ROW LEVEL SECURITY;
|
||
|
||
DROP POLICY IF EXISTS medical_mall_categories_public_select_active ON public.medical_mall_categories;
|
||
CREATE POLICY medical_mall_categories_public_select_active
|
||
ON public.medical_mall_categories
|
||
FOR SELECT
|
||
TO anon, authenticated
|
||
USING (
|
||
deleted_at IS NULL
|
||
AND is_active = TRUE
|
||
AND compliance_type <> 'rx_hidden'
|
||
);
|
||
|
||
DROP POLICY IF EXISTS medical_mall_product_categories_public_select_active ON public.medical_mall_product_categories;
|
||
CREATE POLICY medical_mall_product_categories_public_select_active
|
||
ON public.medical_mall_product_categories
|
||
FOR SELECT
|
||
TO anon, authenticated
|
||
USING (deleted_at IS NULL);-- =====================================================================================
|
||
-- RLS: 用户分组表
|
||
-- 位置:docs/sql/20_rls/user/ak_user_groups_rls_v1.sql
|
||
-- 对象类型:RLS 策略
|
||
-- 版本:v1
|
||
-- 说明:管理端全量访问通过 RPC 完成;消费者端默认不开放直接访问
|
||
-- =====================================================================================
|
||
|
||
ALTER TABLE public.ak_user_groups ENABLE ROW LEVEL SECURITY;
|
||
|
||
-- 如果未来消费者端需要展示所在分组,可以在此添加对应的 SELECT 策略
|
||
-- 目前默认不向普通用户开放任何直接 SQL 读写权限
|
||
-- =====================================================================================
|
||
-- RLS: 用户标签表
|
||
-- 位置:docs/sql/20_rls/user/ak_user_labels_rls_v1.sql
|
||
-- 对象类型:RLS 策略
|
||
-- 版本:v1
|
||
-- 说明:管理端全量访问通过 RPC 完成;消费者端默认不开放直接访问
|
||
-- =====================================================================================
|
||
|
||
ALTER TABLE public.ak_user_labels ENABLE ROW LEVEL SECURITY;
|
||
|
||
-- 若后续消费者端需要展示标签,可在此添加 SELECT 策略
|
||
-- 当前默认不向普通用户开放任何直接 SQL 读写权限
|
||
-- =====================================================================================
|
||
-- RLS: 用户等级表
|
||
-- 位置:docs/sql/20_rls/user/
|
||
-- 对象类型:RLS 策略
|
||
-- 版本:v1
|
||
-- 说明:消费者端可读(仅可见/启用/未删除);管理端全量访问通过 RPC 完成
|
||
-- =====================================================================================
|
||
|
||
ALTER TABLE public.ak_user_levels ENABLE ROW LEVEL SECURITY;
|
||
|
||
-- 消费者端:允许读取可见且启用的等级(未删除)
|
||
DROP POLICY IF EXISTS ak_user_levels_public_select_visible_active ON public.ak_user_levels;
|
||
CREATE POLICY ak_user_levels_public_select_visible_active
|
||
ON public.ak_user_levels
|
||
FOR SELECT
|
||
TO anon, authenticated
|
||
USING (
|
||
deleted_at IS NULL
|
||
AND status = 1
|
||
AND is_visible = TRUE
|
||
);
|
||
|
||
-- 默认不开放写权限(INSERT/UPDATE/DELETE)给 anon/authenticated
|