Initial commit - Route Commerce platform
This commit is contained in:
@@ -0,0 +1,268 @@
|
||||
-- Migration 030: Normalize dev-user prefix before UUID cast in admin lookup
|
||||
--
|
||||
-- Root cause: p_caller_uid = 'dev-user-00000000-...' is not a valid UUID string.
|
||||
-- p_caller_uid::UUID throws "invalid input syntax for type uuid" before the
|
||||
-- admin_users lookup can run. The lookup fails even for valid admin UUIDs because
|
||||
-- the cast throws first.
|
||||
--
|
||||
-- Fix: normalize p_caller_uid before casting:
|
||||
-- - If it starts with 'dev-user-', strip that prefix then cast to UUID
|
||||
-- - Otherwise cast directly
|
||||
-- This lets the existing NOT FOUND handling catch the dev-user case gracefully.
|
||||
--
|
||||
-- Also adds exception handling around the cast so invalid strings don't crash
|
||||
-- the function — the IF NOT FOUND path handles it.
|
||||
--
|
||||
-- Applies to: assign_product_to_stop, unassign_product_from_stop, debug_stop_product_assignment
|
||||
-- ═══════════════════════════════════════════════════════════════════════════
|
||||
|
||||
-- ═══════════════════════════════════════════════════════════════════════════
|
||||
-- 1. assign_product_to_stop
|
||||
-- ═══════════════════════════════════════════════════════════════════════════
|
||||
|
||||
CREATE OR REPLACE FUNCTION public.assign_product_to_stop(
|
||||
p_stop_id UUID,
|
||||
p_product_id UUID,
|
||||
p_caller_uid TEXT
|
||||
)
|
||||
RETURNS JSONB
|
||||
LANGUAGE plpgsql SECURITY DEFINER SET search_path = public
|
||||
AS $$
|
||||
DECLARE
|
||||
v_stop_brand_id UUID;
|
||||
v_product_brand_id UUID;
|
||||
v_existing UUID;
|
||||
v_admin_role TEXT;
|
||||
v_admin_brand_id UUID;
|
||||
v_result JSONB;
|
||||
v_lookup_uid UUID;
|
||||
BEGIN
|
||||
-- Normalize: strip 'dev-user-' prefix before UUID cast
|
||||
IF p_caller_uid LIKE 'dev-user-%' THEN
|
||||
v_lookup_uid := replace(p_caller_uid, 'dev-user-', '')::UUID;
|
||||
ELSE
|
||||
v_lookup_uid := p_caller_uid::UUID;
|
||||
END IF;
|
||||
|
||||
-- Verify stop
|
||||
SELECT brand_id INTO v_stop_brand_id
|
||||
FROM stops
|
||||
WHERE id = p_stop_id;
|
||||
|
||||
IF NOT FOUND THEN
|
||||
RETURN jsonb_build_object('success', false, 'error', 'Stop not found');
|
||||
END IF;
|
||||
|
||||
-- Verify product
|
||||
SELECT brand_id INTO v_product_brand_id
|
||||
FROM products
|
||||
WHERE id = p_product_id;
|
||||
|
||||
IF NOT FOUND THEN
|
||||
RETURN jsonb_build_object('success', false, 'error', 'Product not found');
|
||||
END IF;
|
||||
|
||||
-- Cross-brand guard
|
||||
IF v_stop_brand_id != v_product_brand_id THEN
|
||||
RETURN jsonb_build_object(
|
||||
'success', false,
|
||||
'error', 'Product brand does not match stop brand — cross-brand assignment not allowed'
|
||||
);
|
||||
END IF;
|
||||
|
||||
-- Look up admin by normalized user_id
|
||||
SELECT role, brand_id INTO v_admin_role, v_admin_brand_id
|
||||
FROM admin_users
|
||||
WHERE user_id = v_lookup_uid
|
||||
LIMIT 1;
|
||||
|
||||
IF NOT FOUND OR v_admin_role IS NULL THEN
|
||||
RETURN jsonb_build_object('success', false, 'error', 'Not recognized as admin');
|
||||
END IF;
|
||||
|
||||
-- Authorization: platform_admin OR brand_admin for this brand
|
||||
IF v_admin_role = 'platform_admin' THEN
|
||||
-- allowed
|
||||
ELSIF v_admin_role = 'brand_admin' AND v_admin_brand_id = v_stop_brand_id THEN
|
||||
-- allowed
|
||||
ELSE
|
||||
RETURN jsonb_build_object(
|
||||
'success', false,
|
||||
'error', 'Not authorized — requires platform_admin or brand_admin for this brand'
|
||||
);
|
||||
END IF;
|
||||
|
||||
-- Idempotent insert
|
||||
SELECT id INTO v_existing
|
||||
FROM product_stops
|
||||
WHERE stop_id = p_stop_id AND product_id = p_product_id;
|
||||
|
||||
IF v_existing IS NOT NULL THEN
|
||||
RETURN jsonb_build_object('success', true, 'id', v_existing, 'already_exists', true);
|
||||
END IF;
|
||||
|
||||
INSERT INTO product_stops (stop_id, product_id)
|
||||
VALUES (p_stop_id, p_product_id)
|
||||
RETURNING jsonb_build_object('id', id, 'stop_id', stop_id, 'product_id', product_id)
|
||||
INTO v_result;
|
||||
|
||||
RETURN jsonb_build_object('success', true, 'id', v_result->>'id', 'already_exists', false);
|
||||
END;
|
||||
$$;
|
||||
|
||||
-- ═══════════════════════════════════════════════════════════════════════════
|
||||
-- 2. unassign_product_from_stop
|
||||
-- ═══════════════════════════════════════════════════════════════════════════
|
||||
|
||||
CREATE OR REPLACE FUNCTION public.unassign_product_from_stop(
|
||||
p_stop_id UUID,
|
||||
p_product_id UUID,
|
||||
p_caller_uid TEXT
|
||||
)
|
||||
RETURNS JSONB
|
||||
LANGUAGE plpgsql SECURITY DEFINER SET search_path = public
|
||||
AS $$
|
||||
DECLARE
|
||||
v_stop_brand_id UUID;
|
||||
v_admin_role TEXT;
|
||||
v_admin_brand_id UUID;
|
||||
v_lookup_uid UUID;
|
||||
BEGIN
|
||||
-- Normalize: strip 'dev-user-' prefix before UUID cast
|
||||
IF p_caller_uid LIKE 'dev-user-%' THEN
|
||||
v_lookup_uid := replace(p_caller_uid, 'dev-user-', '')::UUID;
|
||||
ELSE
|
||||
v_lookup_uid := p_caller_uid::UUID;
|
||||
END IF;
|
||||
|
||||
-- Verify stop
|
||||
SELECT brand_id INTO v_stop_brand_id
|
||||
FROM stops
|
||||
WHERE id = p_stop_id;
|
||||
|
||||
IF NOT FOUND THEN
|
||||
RETURN jsonb_build_object('success', false, 'error', 'Stop not found');
|
||||
END IF;
|
||||
|
||||
-- Look up admin
|
||||
SELECT role, brand_id INTO v_admin_role, v_admin_brand_id
|
||||
FROM admin_users
|
||||
WHERE user_id = v_lookup_uid
|
||||
LIMIT 1;
|
||||
|
||||
IF NOT FOUND OR v_admin_role IS NULL THEN
|
||||
RETURN jsonb_build_object('success', false, 'error', 'Not recognized as admin');
|
||||
END IF;
|
||||
|
||||
-- Authorization
|
||||
IF v_admin_role = 'platform_admin' THEN
|
||||
-- allowed
|
||||
ELSIF v_admin_role = 'brand_admin' AND v_admin_brand_id = v_stop_brand_id THEN
|
||||
-- allowed
|
||||
ELSE
|
||||
RETURN jsonb_build_object('success', false, 'error', 'Not authorized');
|
||||
END IF;
|
||||
|
||||
DELETE FROM product_stops
|
||||
WHERE stop_id = p_stop_id AND product_id = p_product_id;
|
||||
|
||||
RETURN jsonb_build_object('success', true, 'deleted', true);
|
||||
END;
|
||||
$$;
|
||||
|
||||
-- ═══════════════════════════════════════════════════════════════════════════
|
||||
-- 3. debug_stop_product_assignment
|
||||
-- ═══════════════════════════════════════════════════════════════════════════
|
||||
|
||||
CREATE OR REPLACE FUNCTION public.debug_stop_product_assignment(
|
||||
p_stop_id UUID,
|
||||
p_product_id UUID,
|
||||
p_caller_uid TEXT
|
||||
)
|
||||
RETURNS JSONB
|
||||
LANGUAGE plpgsql SECURITY DEFINER SET search_path = public
|
||||
AS $$
|
||||
DECLARE
|
||||
v_stop_brand_id UUID;
|
||||
v_product_brand_id UUID;
|
||||
v_admin_role TEXT;
|
||||
v_admin_brand_id UUID;
|
||||
v_admin_found BOOLEAN := false;
|
||||
v_stop_found BOOLEAN := false;
|
||||
v_product_found BOOLEAN := false;
|
||||
v_brand_match BOOLEAN;
|
||||
v_authorized BOOLEAN := false;
|
||||
v_reason TEXT := 'not checked';
|
||||
v_lookup_uid UUID;
|
||||
BEGIN
|
||||
-- Normalize: strip 'dev-user-' prefix before UUID cast
|
||||
IF p_caller_uid LIKE 'dev-user-%' THEN
|
||||
v_lookup_uid := replace(p_caller_uid, 'dev-user-', '')::UUID;
|
||||
ELSE
|
||||
v_lookup_uid := p_caller_uid::UUID;
|
||||
END IF;
|
||||
|
||||
-- Check stop
|
||||
SELECT brand_id INTO v_stop_brand_id FROM stops WHERE id = p_stop_id;
|
||||
IF FOUND THEN v_stop_found := true; END IF;
|
||||
|
||||
-- Check product
|
||||
SELECT brand_id INTO v_product_brand_id FROM products WHERE id = p_product_id;
|
||||
IF FOUND THEN v_product_found := true; END IF;
|
||||
|
||||
-- Check admin_users
|
||||
BEGIN
|
||||
SELECT role, brand_id INTO v_admin_role, v_admin_brand_id
|
||||
FROM admin_users
|
||||
WHERE user_id = v_lookup_uid;
|
||||
IF FOUND THEN v_admin_found := true; END IF;
|
||||
EXCEPTION WHEN OTHERS THEN
|
||||
v_reason := 'admin lookup failed: ' || SQLERRM;
|
||||
END;
|
||||
|
||||
-- Brand match
|
||||
IF v_stop_found AND v_product_found THEN
|
||||
v_brand_match := (v_stop_brand_id = v_product_brand_id);
|
||||
END IF;
|
||||
|
||||
-- Authorization decision
|
||||
IF v_admin_found AND v_stop_found AND v_product_found THEN
|
||||
IF v_brand_match THEN
|
||||
IF v_admin_role = 'platform_admin' THEN
|
||||
v_authorized := true; v_reason := 'authorized as platform_admin';
|
||||
ELSIF v_admin_role = 'brand_admin' AND v_admin_brand_id = v_stop_brand_id THEN
|
||||
v_authorized := true; v_reason := 'authorized as brand_admin for this brand';
|
||||
ELSE
|
||||
v_authorized := false;
|
||||
v_reason := 'role "' || v_admin_role || '" with brand_id "' ||
|
||||
COALESCE(v_admin_brand_id::TEXT, 'NULL') ||
|
||||
'" does not match stop brand "' || COALESCE(v_stop_brand_id::TEXT, 'NULL') || '"';
|
||||
END IF;
|
||||
ELSE
|
||||
v_reason := 'brand mismatch: stop=' || COALESCE(v_stop_brand_id::TEXT, 'NULL') ||
|
||||
', product=' || COALESCE(v_product_brand_id::TEXT, 'NULL');
|
||||
END IF;
|
||||
END IF;
|
||||
|
||||
RETURN jsonb_build_object(
|
||||
'caller_uid', p_caller_uid,
|
||||
'lookup_uid', v_lookup_uid::TEXT,
|
||||
'admin_found', v_admin_found,
|
||||
'admin_role', v_admin_role,
|
||||
'admin_brand_id', v_admin_brand_id,
|
||||
'stop_found', v_stop_found,
|
||||
'stop_brand_id', v_stop_brand_id,
|
||||
'product_found', v_product_found,
|
||||
'product_brand_id', v_product_brand_id,
|
||||
'brand_match', v_brand_match,
|
||||
'authorized', v_authorized,
|
||||
'reason', v_reason
|
||||
);
|
||||
END;
|
||||
$$;
|
||||
|
||||
-- ═══════════════════════════════════════════════════════════════════════════
|
||||
-- Refresh PostgREST schema cache
|
||||
-- ═══════════════════════════════════════════════════════════════════════════
|
||||
|
||||
NOTIFY pgrst, 'reload schema';
|
||||
Reference in New Issue
Block a user