feat(fase-13): server_admins + admin_actions audit log model
Migration 024 introduces the orthogonal global role and the append-only audit log. server_admins is a separate table (not a column on users) so that promote/revoke don't require a JWT re-issue; is_server_admin() is a STABLE SECURITY DEFINER helper matching the shape of is_admin/is_member. admin_actions has only a SELECT policy (admin-only) — no INSERT/UPDATE/ DELETE policies, so only the SECURITY DEFINER RPCs in migration 025 can write to it. actor_id FK uses RESTRICT so the audit trail outlives admins. Bootstrap via infra/db-init/10-server-admin-seed.sh on first volume init (reads SERVER_ADMIN_EMAIL); supabase/seed.sql also pre-seeds Ana for dev/test because docker-entrypoint-initdb.d does not re-fire on long-lived dev volumes. Documented in .env.erosi.example. 20 new pgTAP assertions cover schema shape, RLS posture, FK behaviour, and the SECURITY DEFINER + STABLE attributes on is_server_admin(). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
95
supabase/migrations/024_server_admin.sql
Normal file
95
supabase/migrations/024_server_admin.sql
Normal file
@@ -0,0 +1,95 @@
|
||||
-- Migration 024: server admin role + audit log (Fase 13.1)
|
||||
--
|
||||
-- Introduces an orthogonal global role used by the operator-facing /admin area.
|
||||
-- A `server_admin` is NOT a `collective_member` role — it's a separate gate
|
||||
-- that lets one user delete/restore collectives, expel members, set default
|
||||
-- section visibility, and inspect any colective on the instance.
|
||||
--
|
||||
-- ── Design notes ────────────────────────────────────────────────────────────
|
||||
-- * We pick a table (`server_admins`) over a column on `users` because the
|
||||
-- JWT doesn't need to carry the flag — `is_server_admin()` is a cheap STABLE
|
||||
-- query and there's no way for an admin to silently keep the role after a
|
||||
-- `revoke` if the bit lived inside the cached JWT.
|
||||
-- * `admin_actions` is append-only at the policy level. Only SECURITY DEFINER
|
||||
-- RPCs (migration 025) ever write to it, so we never declare INSERT/UPDATE/
|
||||
-- DELETE policies. SELECT is admin-only — even the actor cannot reach back
|
||||
-- in via PostgREST and rewrite their own history without a superuser shell.
|
||||
-- * `server_admins.user_id` cascades on user delete: when an admin hard-deletes
|
||||
-- their own public.users row via the standard `delete_account()` flow, their
|
||||
-- privilege evaporates. The 'last admin' guard lives in the RPC layer
|
||||
-- (migration 025), not here — `delete_account()` is intentionally orthogonal.
|
||||
-- * Bootstrap: see `infra/db-init/10-server-admin-seed.sh`. The seed reads
|
||||
-- SERVER_ADMIN_EMAIL on FIRST volume init only. For dev (where the volume is
|
||||
-- long-lived) we additionally seed Ana as admin via supabase/seed.sql.
|
||||
|
||||
CREATE TABLE public.server_admins (
|
||||
user_id uuid PRIMARY KEY REFERENCES public.users(id) ON DELETE CASCADE,
|
||||
granted_by uuid NULL REFERENCES public.users(id) ON DELETE SET NULL,
|
||||
granted_at timestamptz NOT NULL DEFAULT now()
|
||||
);
|
||||
|
||||
ALTER TABLE public.server_admins ENABLE ROW LEVEL SECURITY;
|
||||
|
||||
-- A user can always read their own row (so the client can compute
|
||||
-- $isServerAdmin without escalation); other admins can read the full list.
|
||||
-- No INSERT/UPDATE/DELETE policy — only SECURITY DEFINER RPCs touch this.
|
||||
CREATE POLICY "select_self_or_admin" ON public.server_admins
|
||||
FOR SELECT
|
||||
USING (
|
||||
user_id = auth.uid()
|
||||
OR EXISTS (SELECT 1 FROM public.server_admins WHERE user_id = auth.uid())
|
||||
);
|
||||
|
||||
-- ── is_server_admin() ───────────────────────────────────────────────────────
|
||||
-- The default-arg form lets RLS-style call-sites write `is_server_admin()` and
|
||||
-- get `auth.uid()` for free, matching the shape of `is_admin()` / `is_member()`
|
||||
-- from migration 003.
|
||||
CREATE OR REPLACE FUNCTION public.is_server_admin(p_user uuid DEFAULT auth.uid())
|
||||
RETURNS boolean
|
||||
LANGUAGE sql
|
||||
STABLE
|
||||
SECURITY DEFINER
|
||||
SET search_path = public, auth
|
||||
AS $$
|
||||
SELECT EXISTS (
|
||||
SELECT 1 FROM public.server_admins WHERE user_id = p_user
|
||||
);
|
||||
$$;
|
||||
|
||||
COMMENT ON FUNCTION public.is_server_admin(uuid) IS
|
||||
'Returns true if the given user (default auth.uid()) is a server admin.';
|
||||
|
||||
REVOKE ALL ON FUNCTION public.is_server_admin(uuid) FROM PUBLIC;
|
||||
GRANT EXECUTE ON FUNCTION public.is_server_admin(uuid) TO anon, authenticated;
|
||||
|
||||
-- ── admin_actions ──────────────────────────────────────────────────────────
|
||||
-- Append-only audit log. Every privileged RPC in migration 025 writes one
|
||||
-- row before mutating state. `actor_id` is RESTRICT so the audit trail
|
||||
-- never silently disappears when an admin's user row is removed — the FK
|
||||
-- forces an explicit decision (delete the actions first, or transfer
|
||||
-- ownership). Operationally the audit log is intended to outlive admins.
|
||||
|
||||
CREATE TABLE public.admin_actions (
|
||||
id uuid PRIMARY KEY DEFAULT gen_random_uuid(),
|
||||
actor_id uuid NOT NULL REFERENCES public.users(id) ON DELETE RESTRICT,
|
||||
action text NOT NULL,
|
||||
target_type text NOT NULL,
|
||||
target_id uuid NULL,
|
||||
payload jsonb NOT NULL DEFAULT '{}'::jsonb,
|
||||
created_at timestamptz NOT NULL DEFAULT now()
|
||||
);
|
||||
|
||||
ALTER TABLE public.admin_actions ENABLE ROW LEVEL SECURITY;
|
||||
|
||||
-- Only admins can read the log. No write policy: SECURITY DEFINER RPCs only.
|
||||
CREATE POLICY "select_admin_only" ON public.admin_actions
|
||||
FOR SELECT
|
||||
USING (public.is_server_admin());
|
||||
|
||||
CREATE INDEX admin_actions_actor_idx ON public.admin_actions (actor_id, created_at DESC);
|
||||
CREATE INDEX admin_actions_target_idx ON public.admin_actions (target_type, target_id);
|
||||
CREATE INDEX admin_actions_created_idx ON public.admin_actions (created_at DESC);
|
||||
|
||||
COMMENT ON TABLE public.admin_actions IS
|
||||
'Append-only audit log of every privileged RPC call. Written exclusively '
|
||||
'by SECURITY DEFINER functions in migration 025.';
|
||||
Reference in New Issue
Block a user