33 lines
1.4 KiB
SQL
33 lines
1.4 KiB
SQL
-- n8n import into public.order_groups
|
|
--
|
|
-- Recommended setup:
|
|
-- 1. n8n must call Supabase REST with the SERVICE_ROLE key, not the anon key.
|
|
-- 2. Keep RLS closed for anon/authenticated inserts unless the request comes
|
|
-- from an authenticated application user with a coordination role.
|
|
--
|
|
-- n8n HTTP headers for REST inserts:
|
|
-- apikey: <SUPABASE_SERVICE_ROLE_KEY>
|
|
-- Authorization: Bearer <SUPABASE_SERVICE_ROLE_KEY>
|
|
-- Content-Type: application/json
|
|
-- Prefer: resolution=merge-duplicates,return=representation
|
|
--
|
|
-- Endpoint example:
|
|
-- POST https://<project-ref>.supabase.co/rest/v1/order_groups
|
|
--
|
|
-- Why this is needed:
|
|
-- current_role_name() is based on auth.uid() and public.users. A plain n8n
|
|
-- anon request has no application user, so insert policies such as
|
|
-- current_role_name() in ('manager', 'logistician', 'admin') reject the row.
|
|
-- service_role bypasses RLS and is the correct key for trusted server workflows.
|
|
|
|
alter table public.order_groups enable row level security;
|
|
|
|
drop policy if exists "order groups insert service roles" on public.order_groups;
|
|
create policy "order groups insert service roles" on public.order_groups
|
|
for insert
|
|
with check (public.current_role_name() in ('manager', 'logistician', 'admin'));
|
|
|
|
-- Optional diagnostic query: if this returns null for the JWT used by n8n,
|
|
-- that JWT is not an app user and cannot pass the application-user RLS policy.
|
|
select public.current_role_name() as current_app_role;
|