MasterMito/work-club-manager
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases 1 Wiki Activity
Files
main
work-club-manager/backend/WorkClub.Infrastructure/Migrations/add-rls-policies.sql

54 lines
1.6 KiB
MySQL
Raw Permalink Normal View History

feat(backend): add PostgreSQL schema, RLS policies, and multi-tenant middleware - Add EF Core migrations for initial schema (clubs, members, work_items, shifts, shift_signups) - Implement RLS policies with SET LOCAL for tenant isolation - Add Finbuckle multi-tenant middleware with ClaimStrategy + HeaderStrategy fallback - Create TenantValidationMiddleware to enforce JWT claims match X-Tenant-Id header - Add tenant-aware DB interceptors (SaveChangesTenantInterceptor, TenantDbConnectionInterceptor) - Configure AppDbContext with tenant scoping and RLS support - Add test infrastructure: CustomWebApplicationFactory, TestAuthHandler, DatabaseFixture - Write TDD integration tests for multi-tenant isolation and RLS enforcement - Add health check null safety for connection string Tasks: 7 (PostgreSQL schema + migrations + RLS), 8 (Finbuckle multi-tenancy + validation), 12 (test infrastructure)
2026-03-03 14:32:21 +01:00
-- Enable Row-Level Security on all tenant-scoped tables
ALTER TABLE clubs ENABLE ROW LEVEL SECURITY;
ALTER TABLE members ENABLE ROW LEVEL SECURITY;
ALTER TABLE work_items ENABLE ROW LEVEL SECURITY;
ALTER TABLE shifts ENABLE ROW LEVEL SECURITY;
ALTER TABLE shift_signups ENABLE ROW LEVEL SECURITY;
-- Create tenant_isolation policies for tables with direct tenant_id column
CREATE POLICY tenant_isolation ON clubs
FOR ALL
USING ("TenantId" = current_setting('app.current_tenant_id', true)::text);
CREATE POLICY tenant_isolation ON members
FOR ALL
USING ("TenantId" = current_setting('app.current_tenant_id', true)::text);
CREATE POLICY tenant_isolation ON work_items
FOR ALL
USING ("TenantId" = current_setting('app.current_tenant_id', true)::text);
CREATE POLICY tenant_isolation ON shifts
FOR ALL
USING ("TenantId" = current_setting('app.current_tenant_id', true)::text);
-- Special policy for shift_signups (no direct tenant_id, uses subquery via shifts)
CREATE POLICY tenant_isolation ON shift_signups
FOR ALL
USING ("ShiftId" IN (SELECT "Id" FROM shifts WHERE "TenantId" = current_setting('app.current_tenant_id', true)::text));
-- Create bypass_rls_policy for app_admin role
CREATE POLICY bypass_rls_policy ON clubs
FOR ALL TO app_admin
USING (true);
CREATE POLICY bypass_rls_policy ON members
FOR ALL TO app_admin
USING (true);
CREATE POLICY bypass_rls_policy ON work_items
FOR ALL TO app_admin
USING (true);
CREATE POLICY bypass_rls_policy ON shifts
FOR ALL TO app_admin
USING (true);
CREATE POLICY bypass_rls_policy ON shift_signups
FOR ALL TO app_admin
USING (true);
Reference in New Issue Copy Permalink