feat(fase-13): admin RPCs + server_settings + section_enabled server layer
Migration 025 adds:
- collectives.deleted_at column for soft delete (app-level visibility;
RLS does NOT enforce soft-delete invisibility — admin area surfaces
everything by design).
- server_settings(key text pk, value jsonb) — generic admin-write bag
seeded with an empty 'default_sections' row.
- section_enabled() extended with the server layer as the topmost
coalesce branch. Final precedence: server > collective > user > true.
- Privileged RPCs: grant_/revoke_server_admin (last-admin guard fires
P0003), admin_list_collectives, admin_soft_delete_collective,
admin_restore_collective, admin_hard_delete_collective (30-day or
p_force=true), admin_remove_member, admin_set_default_section
(rejects unknown sections via known_sections() lookup).
- _log_admin_action(): private helper centralising the
audit INSERT, called by every privileged RPC BEFORE the mutation.
Migration 024 RLS policy on server_admins rewritten to delegate the
admin branch to is_server_admin() (SECURITY DEFINER, bypasses RLS) —
the original inline EXISTS hit infinite recursion (caught empirically
with `SET ROLE authenticated`).
22 new pgTAP assertions cover schema shape, RPC signatures, the
SECURITY DEFINER posture of every admin function, the new deleted_at
column, and the server-layer precedence semantics for section_enabled.
10 new Vitest integration tests (SA-01..SA-10) cover:
- admin_list_collectives gated for non-admins (P0001 'forbidden').
- soft / restore / hard delete audit + state transitions.
- hard-delete recency guard (not_soft_deleted, too_recent, force).
- hard-delete cascade is non-destructive to public.users.
- remove_member writes role_was + reason to audit payload.
- set_default_section rejects unknown sections; patches JSONB
without clobbering siblings.
- grant/revoke with last-admin guard (revoking the sole admin
raises P0003 'last_admin'; failed call does NOT write audit).
- section_enabled precedence walked layer by layer in one client.
- RLS: non-admin sees zero rows in admin_actions + server_admins.
packages/types/src/database.ts hand-extended with the new tables and
RPC signatures; collectives Row/Insert/Update get deleted_at.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
@@ -30,17 +30,13 @@ CREATE TABLE public.server_admins (
|
||||
|
||||
ALTER TABLE public.server_admins ENABLE ROW LEVEL SECURITY;
|
||||
|
||||
-- A user can always read their own row (so the client can compute
|
||||
-- $isServerAdmin without escalation); other admins can read the full list.
|
||||
-- No INSERT/UPDATE/DELETE policy — only SECURITY DEFINER RPCs touch this.
|
||||
CREATE POLICY "select_self_or_admin" ON public.server_admins
|
||||
FOR SELECT
|
||||
USING (
|
||||
user_id = auth.uid()
|
||||
OR EXISTS (SELECT 1 FROM public.server_admins WHERE user_id = auth.uid())
|
||||
);
|
||||
|
||||
-- ── is_server_admin() ───────────────────────────────────────────────────────
|
||||
-- Declared BEFORE the RLS policy so the policy can call it. The function is
|
||||
-- SECURITY DEFINER → it bypasses RLS on `server_admins`, which is the only way
|
||||
-- to break the otherwise-recursive policy ("you can see rows if you ARE in
|
||||
-- this table" → the inner SELECT triggers the same policy → infinite
|
||||
-- recursion, observed empirically before this rewrite).
|
||||
--
|
||||
-- The default-arg form lets RLS-style call-sites write `is_server_admin()` and
|
||||
-- get `auth.uid()` for free, matching the shape of `is_admin()` / `is_member()`
|
||||
-- from migration 003.
|
||||
@@ -62,6 +58,18 @@ COMMENT ON FUNCTION public.is_server_admin(uuid) IS
|
||||
REVOKE ALL ON FUNCTION public.is_server_admin(uuid) FROM PUBLIC;
|
||||
GRANT EXECUTE ON FUNCTION public.is_server_admin(uuid) TO anon, authenticated;
|
||||
|
||||
-- A user can always read their own row (so the client can compute
|
||||
-- $isServerAdmin without escalation); other admins can read the full list.
|
||||
-- The admin branch uses is_server_admin() — NOT an inline EXISTS — to bypass
|
||||
-- the otherwise-recursive RLS evaluation (see function comment above).
|
||||
-- No INSERT/UPDATE/DELETE policy — only SECURITY DEFINER RPCs touch this.
|
||||
CREATE POLICY "select_self_or_admin" ON public.server_admins
|
||||
FOR SELECT
|
||||
USING (
|
||||
user_id = auth.uid()
|
||||
OR public.is_server_admin()
|
||||
);
|
||||
|
||||
-- ── admin_actions ──────────────────────────────────────────────────────────
|
||||
-- Append-only audit log. Every privileged RPC in migration 025 writes one
|
||||
-- row before mutating state. `actor_id` is RESTRICT so the audit trail
|
||||
|
||||
Reference in New Issue
Block a user