Row Level Security (RLS)

ALTER TABLE sucursales ENABLE ROW LEVEL SECURITY;

CREATE POLICY "sucursales_select" ON sucursales FOR SELECT 
  USING (auth.role() = 'authenticated');

ALTER TABLE users ENABLE ROW LEVEL SECURITY;

CREATE POLICY "users_select" ON users FOR SELECT
  USING (id = auth.uid() OR 
         EXISTS (SELECT 1 FROM users WHERE id = auth.uid() AND rol = 'admin'));

CREATE POLICY "users_insert" ON users FOR INSERT 
  WITH CHECK (id = auth.uid());

CREATE POLICY "users_update" ON users FOR UPDATE 
  USING (id = auth.uid());

ALTER TABLE materiales ENABLE ROW LEVEL SECURITY;

CREATE POLICY "materiales_select" ON materiales FOR SELECT 
  USING (auth.role() = 'authenticated');

ALTER TABLE pedidos ENABLE ROW LEVEL SECURITY;

-- SELECT: sucursal sees own; admin sees all
CREATE POLICY "pedidos_select" ON pedidos FOR SELECT USING (
  EXISTS (SELECT 1 FROM users WHERE id = auth.uid() AND rol = 'admin')
  OR sucursal_id = (SELECT sucursal_id FROM users WHERE id = auth.uid())
);

-- INSERT: must be user's own branch
CREATE POLICY "pedidos_insert" ON pedidos FOR INSERT WITH CHECK (
  sucursal_id = (SELECT sucursal_id FROM users WHERE id = auth.uid())
);

-- UPDATE (sucursal): only drafts from own branch
CREATE POLICY "pedidos_update_sucursal" ON pedidos FOR UPDATE USING (
  estado = 'borrador'
  AND sucursal_id = (SELECT sucursal_id FROM users WHERE id = auth.uid())
) WITH CHECK (
  sucursal_id = (SELECT sucursal_id FROM users WHERE id = auth.uid())
);

-- UPDATE (admin): unrestricted
CREATE POLICY "pedidos_update_admin" ON pedidos FOR UPDATE USING (
  EXISTS (SELECT 1 FROM users WHERE id = auth.uid() AND rol = 'admin')
);

-- DELETE (sucursal): only drafts from own branch
CREATE POLICY "pedidos_delete_sucursal" ON pedidos FOR DELETE USING (
  estado = 'borrador'
  AND sucursal_id = (SELECT sucursal_id FROM users WHERE id = auth.uid())
);

ALTER TABLE pedido_detalle ENABLE ROW LEVEL SECURITY;

-- SELECT: follows parent pedido rules
CREATE POLICY "detalle_select" ON pedido_detalle FOR SELECT USING (
  EXISTS (
    SELECT 1 FROM pedidos p
    WHERE p.id = pedido_id AND (
      EXISTS (SELECT 1 FROM users WHERE id = auth.uid() AND rol = 'admin')
      OR p.sucursal_id = (SELECT sucursal_id FROM users WHERE id = auth.uid())
    )
  )
);

-- INSERT (sucursal): parent must be draft + own branch
CREATE POLICY "detalle_insert" ON pedido_detalle FOR INSERT WITH CHECK (
  EXISTS (
    SELECT 1 FROM pedidos p
    WHERE p.id = pedido_id
      AND p.estado = 'borrador'
      AND p.sucursal_id = (SELECT sucursal_id FROM users WHERE id = auth.uid())
  )
);

-- INSERT (admin): unrestricted
CREATE POLICY "detalle_insert_admin" ON pedido_detalle FOR INSERT WITH CHECK (
  EXISTS (SELECT 1 FROM users WHERE id = auth.uid() AND rol = 'admin')
);

-- UPDATE (sucursal): parent must be draft + own branch
CREATE POLICY "detalle_update" ON pedido_detalle FOR UPDATE USING (
  EXISTS (
    SELECT 1 FROM pedidos p
    WHERE p.id = pedido_id
      AND p.estado = 'borrador'
      AND p.sucursal_id = (SELECT sucursal_id FROM users WHERE id = auth.uid())
  )
);

-- UPDATE (admin): unrestricted
CREATE POLICY "detalle_update_admin" ON pedido_detalle FOR UPDATE USING (
  EXISTS (SELECT 1 FROM users WHERE id = auth.uid() AND rol = 'admin')
);

-- DELETE (sucursal): parent must be draft + own branch
CREATE POLICY "detalle_delete" ON pedido_detalle FOR DELETE USING (
  EXISTS (
    SELECT 1 FROM pedidos p
    WHERE p.id = pedido_id
      AND p.estado = 'borrador'
      AND p.sucursal_id = (SELECT sucursal_id FROM users WHERE id = auth.uid())
  )
);

-- DELETE (admin): unrestricted
CREATE POLICY "detalle_delete_admin" ON pedido_detalle FOR DELETE USING (
  EXISTS (SELECT 1 FROM users WHERE id = auth.uid() AND rol = 'admin')
);

ALTER TABLE solicitudes_acceso ENABLE ROW LEVEL SECURITY;

-- Admins see all solicitudes
CREATE POLICY "sol_admin_sel" ON solicitudes_acceso FOR SELECT
  USING (EXISTS (SELECT 1 FROM users WHERE id = auth.uid() AND rol = 'admin'));

-- Admins can approve/reject
CREATE POLICY "sol_admin_upd" ON solicitudes_acceso FOR UPDATE
  USING (EXISTS (SELECT 1 FROM users WHERE id = auth.uid() AND rol = 'admin'));

-- Any authenticated user can insert (self-registration)
CREATE POLICY "sol_insert" ON solicitudes_acceso FOR INSERT
  WITH CHECK (auth.role() = 'authenticated');

-- Users can see their own solicitud
CREATE POLICY "sol_own_sel_2" ON solicitudes_acceso FOR SELECT
  USING (user_id = auth.uid());

-- Set session to simulate sucursal user
SET LOCAL request.jwt.claims TO '{"sub": "user-uuid-here"}';

-- Should only see own branch's orders
SELECT * FROM pedidos;

-- Should only update draft orders from own branch
UPDATE pedidos SET total_kilos = 100 WHERE id = 'draft-order-uuid';

-- Should fail for submitted orders
UPDATE pedidos SET total_kilos = 100 WHERE id = 'enviado-order-uuid';
-- Error: new row violates row-level security policy

-- Set session to simulate admin user
SET LOCAL request.jwt.claims TO '{"sub": "admin-uuid-here"}';

-- Should see all orders
SELECT * FROM pedidos;

-- Should update any order
UPDATE pedidos SET estado = 'aprobado' WHERE id = 'any-order-uuid';

-- Check if user is admin
EXISTS (SELECT 1 FROM users WHERE id = auth.uid() AND rol = 'admin')

-- Check if resource belongs to user's branch
sucursal_id = (SELECT sucursal_id FROM users WHERE id = auth.uid())

-- Only allow editing draft orders
estado = 'borrador' AND sucursal_id = (SELECT sucursal_id FROM users WHERE id = auth.uid())

-- Child inherits parent's access rules
EXISTS (
  SELECT 1 FROM pedidos p
  WHERE p.id = pedido_id
    AND [parent access condition]
)

UPDATE users 
SET es_superadmin = true, rol = 'admin', estado_cuenta = 'activo'
WHERE email IN ('[email protected]', '[email protected]');