mirror of
https://github.com/Memo-2023/mana-monorepo.git
synced 2026-05-16 17:39:40 +02:00
88e3adb9d3
Adds the second RLS policy needed for shared spaces. Users can read rows in any space they're a member of, in addition to their own rows. Changes: - New policy sync_changes_space_member_read (SELECT only) uses app.current_user_space_ids session config: rows with space_id in that comma-separated list pass RLS. - WITH CHECK is not extended — writes still require user_id match, so only the author can write. Members read, owner/author writes. - withUser() is now a thin wrapper around withUserAndMemberships(), which accepts the caller's Space membership list and sets the new session config alongside app.current_user_id. - The comma-join is empty-filtered so stray blank entries can't match rows with literal empty space_id (defense in depth). Forward-compatible: today every space has exactly one member (the author), so the membership list is always empty and the new policy is a no-op — user_id isolation remains the only active guard. When shared spaces start being used (clubs/teams/brand spaces with invites), the HTTP handlers will fetch the caller's membership from mana-auth and pass it to withUserAndMemberships. No migration needed at that point — the policy is already live. Subscription fan-out (WS/SSE broadcast to all space members) is still per-user; that's a follow-up tied to the membership lookup infra. Go build + existing tests pass. Plan: docs/plans/spaces-foundation.md Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| mana-ai | ||
| mana-analytics | ||
| mana-api-gateway | ||
| mana-auth | ||
| mana-crawler | ||
| mana-credits | ||
| mana-events | ||
| mana-geocoding | ||
| mana-image-gen | ||
| mana-landing-builder | ||
| mana-llm | ||
| mana-mail | ||
| mana-media | ||
| mana-notify | ||
| mana-research | ||
| mana-search | ||
| mana-stt | ||
| mana-subscriptions | ||
| mana-sync | ||
| mana-tts | ||
| mana-user | ||
| mana-video-gen | ||
| mana-voice-bot | ||
| news-ingester | ||