[TASK-029] security: Add RLS policies for 16 retail tables

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-24 22:32:14 -06:00 · 2026-01-24 22:32:14 -06:00 · 8d2480864a
commit 8d2480864a
parent a6606792b3
1 changed files with 161 additions and 0 deletions
--- a/schemas/99-rls-policies.sql
+++ b/schemas/99-rls-policies.sql
@ -0,0 +1,161 @@
+-- ============================================================================
+-- ROW LEVEL SECURITY POLICIES - ERP Retail/POS
+-- ============================================================================
+-- Version: 1.0.0
+-- Fecha: 2026-01-24
+-- Descripcion: Politicas RLS para aislamiento por tenant en todas las tablas
+-- ============================================================================
+-- PREREQUISITOS:
+--   1. ERP-Core instalado (auth schema con tenants)
+--   2. Schema retail creado
+--   3. Tablas retail.* creadas
+-- ============================================================================
+-- TABLAS CON TENANT_ID: 16
+--   - retail.branches
+--   - retail.cash_registers
+--   - retail.pos_sessions
+--   - retail.pos_orders
+--   - retail.pos_order_lines
+--   - retail.pos_payments
+--   - retail.cash_movements
+--   - retail.branch_stock
+--   - retail.stock_transfers
+--   - retail.stock_transfer_lines
+--   - retail.product_barcodes
+--   - retail.promotions
+--   - retail.promotion_products
+--   - retail.loyalty_programs
+--   - retail.loyalty_cards
+--   - retail.loyalty_transactions
+-- ============================================================================
+
+-- ============================================================================
+-- HABILITAR RLS EN TODAS LAS TABLAS
+-- ============================================================================
+
+ALTER TABLE retail.branches ENABLE ROW LEVEL SECURITY;
+ALTER TABLE retail.cash_registers ENABLE ROW LEVEL SECURITY;
+ALTER TABLE retail.pos_sessions ENABLE ROW LEVEL SECURITY;
+ALTER TABLE retail.pos_orders ENABLE ROW LEVEL SECURITY;
+ALTER TABLE retail.pos_order_lines ENABLE ROW LEVEL SECURITY;
+ALTER TABLE retail.pos_payments ENABLE ROW LEVEL SECURITY;
+ALTER TABLE retail.cash_movements ENABLE ROW LEVEL SECURITY;
+ALTER TABLE retail.branch_stock ENABLE ROW LEVEL SECURITY;
+ALTER TABLE retail.stock_transfers ENABLE ROW LEVEL SECURITY;
+ALTER TABLE retail.stock_transfer_lines ENABLE ROW LEVEL SECURITY;
+ALTER TABLE retail.product_barcodes ENABLE ROW LEVEL SECURITY;
+ALTER TABLE retail.promotions ENABLE ROW LEVEL SECURITY;
+ALTER TABLE retail.promotion_products ENABLE ROW LEVEL SECURITY;
+ALTER TABLE retail.loyalty_programs ENABLE ROW LEVEL SECURITY;
+ALTER TABLE retail.loyalty_cards ENABLE ROW LEVEL SECURITY;
+ALTER TABLE retail.loyalty_transactions ENABLE ROW LEVEL SECURITY;
+
+-- ============================================================================
+-- POLITICAS DE AISLAMIENTO POR TENANT
+-- ============================================================================
+
+-- -----------------------------------------------------------------------------
+-- SUCURSALES Y CONFIGURACION
+-- -----------------------------------------------------------------------------
+
+-- Policy: branches
+DROP POLICY IF EXISTS tenant_isolation_branches ON retail.branches;
+CREATE POLICY tenant_isolation_branches ON retail.branches
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- Policy: cash_registers
+DROP POLICY IF EXISTS tenant_isolation_cash_registers ON retail.cash_registers;
+CREATE POLICY tenant_isolation_cash_registers ON retail.cash_registers
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- -----------------------------------------------------------------------------
+-- PUNTO DE VENTA (RT-001)
+-- -----------------------------------------------------------------------------
+
+-- Policy: pos_sessions
+DROP POLICY IF EXISTS tenant_isolation_pos_sessions ON retail.pos_sessions;
+CREATE POLICY tenant_isolation_pos_sessions ON retail.pos_sessions
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- Policy: pos_orders
+DROP POLICY IF EXISTS tenant_isolation_pos_orders ON retail.pos_orders;
+CREATE POLICY tenant_isolation_pos_orders ON retail.pos_orders
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- Policy: pos_order_lines
+DROP POLICY IF EXISTS tenant_isolation_pos_order_lines ON retail.pos_order_lines;
+CREATE POLICY tenant_isolation_pos_order_lines ON retail.pos_order_lines
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- Policy: pos_payments
+DROP POLICY IF EXISTS tenant_isolation_pos_payments ON retail.pos_payments;
+CREATE POLICY tenant_isolation_pos_payments ON retail.pos_payments
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- Policy: cash_movements
+DROP POLICY IF EXISTS tenant_isolation_cash_movements ON retail.cash_movements;
+CREATE POLICY tenant_isolation_cash_movements ON retail.cash_movements
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- -----------------------------------------------------------------------------
+-- INVENTARIO MULTI-SUCURSAL (RT-002)
+-- -----------------------------------------------------------------------------
+
+-- Policy: branch_stock
+DROP POLICY IF EXISTS tenant_isolation_branch_stock ON retail.branch_stock;
+CREATE POLICY tenant_isolation_branch_stock ON retail.branch_stock
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- Policy: stock_transfers
+DROP POLICY IF EXISTS tenant_isolation_stock_transfers ON retail.stock_transfers;
+CREATE POLICY tenant_isolation_stock_transfers ON retail.stock_transfers
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- Policy: stock_transfer_lines
+DROP POLICY IF EXISTS tenant_isolation_stock_transfer_lines ON retail.stock_transfer_lines;
+CREATE POLICY tenant_isolation_stock_transfer_lines ON retail.stock_transfer_lines
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- -----------------------------------------------------------------------------
+-- PRODUCTOS RETAIL (RT-003)
+-- -----------------------------------------------------------------------------
+
+-- Policy: product_barcodes
+DROP POLICY IF EXISTS tenant_isolation_product_barcodes ON retail.product_barcodes;
+CREATE POLICY tenant_isolation_product_barcodes ON retail.product_barcodes
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- Policy: promotions
+DROP POLICY IF EXISTS tenant_isolation_promotions ON retail.promotions;
+CREATE POLICY tenant_isolation_promotions ON retail.promotions
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- Policy: promotion_products
+DROP POLICY IF EXISTS tenant_isolation_promotion_products ON retail.promotion_products;
+CREATE POLICY tenant_isolation_promotion_products ON retail.promotion_products
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- -----------------------------------------------------------------------------
+-- CLIENTES Y FIDELIZACION (RT-004)
+-- -----------------------------------------------------------------------------
+
+-- Policy: loyalty_programs
+DROP POLICY IF EXISTS tenant_isolation_loyalty_programs ON retail.loyalty_programs;
+CREATE POLICY tenant_isolation_loyalty_programs ON retail.loyalty_programs
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- Policy: loyalty_cards
+DROP POLICY IF EXISTS tenant_isolation_loyalty_cards ON retail.loyalty_cards;
+CREATE POLICY tenant_isolation_loyalty_cards ON retail.loyalty_cards
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- Policy: loyalty_transactions
+DROP POLICY IF EXISTS tenant_isolation_loyalty_transactions ON retail.loyalty_transactions;
+CREATE POLICY tenant_isolation_loyalty_transactions ON retail.loyalty_transactions
+    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);
+
+-- ============================================================================
+-- FIN POLITICAS RLS
+-- Total: 16 tablas con RLS habilitado
+-- Total: 16 politicas de aislamiento por tenant
+-- ============================================================================