diff --git a/schemas/99-rls-policies.sql b/schemas/99-rls-policies.sql new file mode 100644 index 0000000..cc8a503 --- /dev/null +++ b/schemas/99-rls-policies.sql @@ -0,0 +1,161 @@ +-- ============================================================================ +-- ROW LEVEL SECURITY POLICIES - ERP Retail/POS +-- ============================================================================ +-- Version: 1.0.0 +-- Fecha: 2026-01-24 +-- Descripcion: Politicas RLS para aislamiento por tenant en todas las tablas +-- ============================================================================ +-- PREREQUISITOS: +-- 1. ERP-Core instalado (auth schema con tenants) +-- 2. Schema retail creado +-- 3. Tablas retail.* creadas +-- ============================================================================ +-- TABLAS CON TENANT_ID: 16 +-- - retail.branches +-- - retail.cash_registers +-- - retail.pos_sessions +-- - retail.pos_orders +-- - retail.pos_order_lines +-- - retail.pos_payments +-- - retail.cash_movements +-- - retail.branch_stock +-- - retail.stock_transfers +-- - retail.stock_transfer_lines +-- - retail.product_barcodes +-- - retail.promotions +-- - retail.promotion_products +-- - retail.loyalty_programs +-- - retail.loyalty_cards +-- - retail.loyalty_transactions +-- ============================================================================ + +-- ============================================================================ +-- HABILITAR RLS EN TODAS LAS TABLAS +-- ============================================================================ + +ALTER TABLE retail.branches ENABLE ROW LEVEL SECURITY; +ALTER TABLE retail.cash_registers ENABLE ROW LEVEL SECURITY; +ALTER TABLE retail.pos_sessions ENABLE ROW LEVEL SECURITY; +ALTER TABLE retail.pos_orders ENABLE ROW LEVEL SECURITY; +ALTER TABLE retail.pos_order_lines ENABLE ROW LEVEL SECURITY; +ALTER TABLE retail.pos_payments ENABLE ROW LEVEL SECURITY; +ALTER TABLE retail.cash_movements ENABLE ROW LEVEL SECURITY; +ALTER TABLE retail.branch_stock ENABLE ROW LEVEL SECURITY; +ALTER TABLE retail.stock_transfers ENABLE ROW LEVEL SECURITY; +ALTER TABLE retail.stock_transfer_lines ENABLE ROW LEVEL SECURITY; +ALTER TABLE retail.product_barcodes ENABLE ROW LEVEL SECURITY; +ALTER TABLE retail.promotions ENABLE ROW LEVEL SECURITY; +ALTER TABLE retail.promotion_products ENABLE ROW LEVEL SECURITY; +ALTER TABLE retail.loyalty_programs ENABLE ROW LEVEL SECURITY; +ALTER TABLE retail.loyalty_cards ENABLE ROW LEVEL SECURITY; +ALTER TABLE retail.loyalty_transactions ENABLE ROW LEVEL SECURITY; + +-- ============================================================================ +-- POLITICAS DE AISLAMIENTO POR TENANT +-- ============================================================================ + +-- ----------------------------------------------------------------------------- +-- SUCURSALES Y CONFIGURACION +-- ----------------------------------------------------------------------------- + +-- Policy: branches +DROP POLICY IF EXISTS tenant_isolation_branches ON retail.branches; +CREATE POLICY tenant_isolation_branches ON retail.branches + USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid); + +-- Policy: cash_registers +DROP POLICY IF EXISTS tenant_isolation_cash_registers ON retail.cash_registers; +CREATE POLICY tenant_isolation_cash_registers ON retail.cash_registers + USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid); + +-- ----------------------------------------------------------------------------- +-- PUNTO DE VENTA (RT-001) +-- ----------------------------------------------------------------------------- + +-- Policy: pos_sessions +DROP POLICY IF EXISTS tenant_isolation_pos_sessions ON retail.pos_sessions; +CREATE POLICY tenant_isolation_pos_sessions ON retail.pos_sessions + USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid); + +-- Policy: pos_orders +DROP POLICY IF EXISTS tenant_isolation_pos_orders ON retail.pos_orders; +CREATE POLICY tenant_isolation_pos_orders ON retail.pos_orders + USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid); + +-- Policy: pos_order_lines +DROP POLICY IF EXISTS tenant_isolation_pos_order_lines ON retail.pos_order_lines; +CREATE POLICY tenant_isolation_pos_order_lines ON retail.pos_order_lines + USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid); + +-- Policy: pos_payments +DROP POLICY IF EXISTS tenant_isolation_pos_payments ON retail.pos_payments; +CREATE POLICY tenant_isolation_pos_payments ON retail.pos_payments + USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid); + +-- Policy: cash_movements +DROP POLICY IF EXISTS tenant_isolation_cash_movements ON retail.cash_movements; +CREATE POLICY tenant_isolation_cash_movements ON retail.cash_movements + USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid); + +-- ----------------------------------------------------------------------------- +-- INVENTARIO MULTI-SUCURSAL (RT-002) +-- ----------------------------------------------------------------------------- + +-- Policy: branch_stock +DROP POLICY IF EXISTS tenant_isolation_branch_stock ON retail.branch_stock; +CREATE POLICY tenant_isolation_branch_stock ON retail.branch_stock + USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid); + +-- Policy: stock_transfers +DROP POLICY IF EXISTS tenant_isolation_stock_transfers ON retail.stock_transfers; +CREATE POLICY tenant_isolation_stock_transfers ON retail.stock_transfers + USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid); + +-- Policy: stock_transfer_lines +DROP POLICY IF EXISTS tenant_isolation_stock_transfer_lines ON retail.stock_transfer_lines; +CREATE POLICY tenant_isolation_stock_transfer_lines ON retail.stock_transfer_lines + USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid); + +-- ----------------------------------------------------------------------------- +-- PRODUCTOS RETAIL (RT-003) +-- ----------------------------------------------------------------------------- + +-- Policy: product_barcodes +DROP POLICY IF EXISTS tenant_isolation_product_barcodes ON retail.product_barcodes; +CREATE POLICY tenant_isolation_product_barcodes ON retail.product_barcodes + USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid); + +-- Policy: promotions +DROP POLICY IF EXISTS tenant_isolation_promotions ON retail.promotions; +CREATE POLICY tenant_isolation_promotions ON retail.promotions + USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid); + +-- Policy: promotion_products +DROP POLICY IF EXISTS tenant_isolation_promotion_products ON retail.promotion_products; +CREATE POLICY tenant_isolation_promotion_products ON retail.promotion_products + USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid); + +-- ----------------------------------------------------------------------------- +-- CLIENTES Y FIDELIZACION (RT-004) +-- ----------------------------------------------------------------------------- + +-- Policy: loyalty_programs +DROP POLICY IF EXISTS tenant_isolation_loyalty_programs ON retail.loyalty_programs; +CREATE POLICY tenant_isolation_loyalty_programs ON retail.loyalty_programs + USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid); + +-- Policy: loyalty_cards +DROP POLICY IF EXISTS tenant_isolation_loyalty_cards ON retail.loyalty_cards; +CREATE POLICY tenant_isolation_loyalty_cards ON retail.loyalty_cards + USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid); + +-- Policy: loyalty_transactions +DROP POLICY IF EXISTS tenant_isolation_loyalty_transactions ON retail.loyalty_transactions; +CREATE POLICY tenant_isolation_loyalty_transactions ON retail.loyalty_transactions + USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid); + +-- ============================================================================ +-- FIN POLITICAS RLS +-- Total: 16 tablas con RLS habilitado +-- Total: 16 politicas de aislamiento por tenant +-- ============================================================================