erp-retail-database-v2/schemas/99-rls-policies.sql

-- ============================================================================
-- ROW LEVEL SECURITY POLICIES - ERP Retail/POS
-- ============================================================================
-- Version: 1.0.0
-- Fecha: 2026-01-24
-- Descripcion: Politicas RLS para aislamiento por tenant en todas las tablas
-- ============================================================================
-- PREREQUISITOS:
--   1. ERP-Core instalado (auth schema con tenants)
--   2. Schema retail creado
--   3. Tablas retail.* creadas
-- ============================================================================
-- TABLAS CON TENANT_ID: 16
--   - retail.branches
--   - retail.cash_registers
--   - retail.pos_sessions
--   - retail.pos_orders
--   - retail.pos_order_lines
--   - retail.pos_payments
--   - retail.cash_movements
--   - retail.branch_stock
--   - retail.stock_transfers
--   - retail.stock_transfer_lines
--   - retail.product_barcodes
--   - retail.promotions
--   - retail.promotion_products
--   - retail.loyalty_programs
--   - retail.loyalty_cards
--   - retail.loyalty_transactions
-- ============================================================================

-- ============================================================================
-- HABILITAR RLS EN TODAS LAS TABLAS
-- ============================================================================

ALTER TABLE retail.branches ENABLE ROW LEVEL SECURITY;
ALTER TABLE retail.cash_registers ENABLE ROW LEVEL SECURITY;
ALTER TABLE retail.pos_sessions ENABLE ROW LEVEL SECURITY;
ALTER TABLE retail.pos_orders ENABLE ROW LEVEL SECURITY;
ALTER TABLE retail.pos_order_lines ENABLE ROW LEVEL SECURITY;
ALTER TABLE retail.pos_payments ENABLE ROW LEVEL SECURITY;
ALTER TABLE retail.cash_movements ENABLE ROW LEVEL SECURITY;
ALTER TABLE retail.branch_stock ENABLE ROW LEVEL SECURITY;
ALTER TABLE retail.stock_transfers ENABLE ROW LEVEL SECURITY;
ALTER TABLE retail.stock_transfer_lines ENABLE ROW LEVEL SECURITY;
ALTER TABLE retail.product_barcodes ENABLE ROW LEVEL SECURITY;
ALTER TABLE retail.promotions ENABLE ROW LEVEL SECURITY;
ALTER TABLE retail.promotion_products ENABLE ROW LEVEL SECURITY;
ALTER TABLE retail.loyalty_programs ENABLE ROW LEVEL SECURITY;
ALTER TABLE retail.loyalty_cards ENABLE ROW LEVEL SECURITY;
ALTER TABLE retail.loyalty_transactions ENABLE ROW LEVEL SECURITY;

-- ============================================================================
-- POLITICAS DE AISLAMIENTO POR TENANT
-- ============================================================================

-- -----------------------------------------------------------------------------
-- SUCURSALES Y CONFIGURACION
-- -----------------------------------------------------------------------------

-- Policy: branches
DROP POLICY IF EXISTS tenant_isolation_branches ON retail.branches;
CREATE POLICY tenant_isolation_branches ON retail.branches
    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);

-- Policy: cash_registers
DROP POLICY IF EXISTS tenant_isolation_cash_registers ON retail.cash_registers;
CREATE POLICY tenant_isolation_cash_registers ON retail.cash_registers
    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);

-- -----------------------------------------------------------------------------
-- PUNTO DE VENTA (RT-001)
-- -----------------------------------------------------------------------------

-- Policy: pos_sessions
DROP POLICY IF EXISTS tenant_isolation_pos_sessions ON retail.pos_sessions;
CREATE POLICY tenant_isolation_pos_sessions ON retail.pos_sessions
    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);

-- Policy: pos_orders
DROP POLICY IF EXISTS tenant_isolation_pos_orders ON retail.pos_orders;
CREATE POLICY tenant_isolation_pos_orders ON retail.pos_orders
    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);

-- Policy: pos_order_lines
DROP POLICY IF EXISTS tenant_isolation_pos_order_lines ON retail.pos_order_lines;
CREATE POLICY tenant_isolation_pos_order_lines ON retail.pos_order_lines
    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);

-- Policy: pos_payments
DROP POLICY IF EXISTS tenant_isolation_pos_payments ON retail.pos_payments;
CREATE POLICY tenant_isolation_pos_payments ON retail.pos_payments
    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);

-- Policy: cash_movements
DROP POLICY IF EXISTS tenant_isolation_cash_movements ON retail.cash_movements;
CREATE POLICY tenant_isolation_cash_movements ON retail.cash_movements
    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);

-- -----------------------------------------------------------------------------
-- INVENTARIO MULTI-SUCURSAL (RT-002)
-- -----------------------------------------------------------------------------

-- Policy: branch_stock
DROP POLICY IF EXISTS tenant_isolation_branch_stock ON retail.branch_stock;
CREATE POLICY tenant_isolation_branch_stock ON retail.branch_stock
    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);

-- Policy: stock_transfers
DROP POLICY IF EXISTS tenant_isolation_stock_transfers ON retail.stock_transfers;
CREATE POLICY tenant_isolation_stock_transfers ON retail.stock_transfers
    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);

-- Policy: stock_transfer_lines
DROP POLICY IF EXISTS tenant_isolation_stock_transfer_lines ON retail.stock_transfer_lines;
CREATE POLICY tenant_isolation_stock_transfer_lines ON retail.stock_transfer_lines
    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);

-- -----------------------------------------------------------------------------
-- PRODUCTOS RETAIL (RT-003)
-- -----------------------------------------------------------------------------

-- Policy: product_barcodes
DROP POLICY IF EXISTS tenant_isolation_product_barcodes ON retail.product_barcodes;
CREATE POLICY tenant_isolation_product_barcodes ON retail.product_barcodes
    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);

-- Policy: promotions
DROP POLICY IF EXISTS tenant_isolation_promotions ON retail.promotions;
CREATE POLICY tenant_isolation_promotions ON retail.promotions
    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);

-- Policy: promotion_products
DROP POLICY IF EXISTS tenant_isolation_promotion_products ON retail.promotion_products;
CREATE POLICY tenant_isolation_promotion_products ON retail.promotion_products
    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);

-- -----------------------------------------------------------------------------
-- CLIENTES Y FIDELIZACION (RT-004)
-- -----------------------------------------------------------------------------

-- Policy: loyalty_programs
DROP POLICY IF EXISTS tenant_isolation_loyalty_programs ON retail.loyalty_programs;
CREATE POLICY tenant_isolation_loyalty_programs ON retail.loyalty_programs
    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);

-- Policy: loyalty_cards
DROP POLICY IF EXISTS tenant_isolation_loyalty_cards ON retail.loyalty_cards;
CREATE POLICY tenant_isolation_loyalty_cards ON retail.loyalty_cards
    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);

-- Policy: loyalty_transactions
DROP POLICY IF EXISTS tenant_isolation_loyalty_transactions ON retail.loyalty_transactions;
CREATE POLICY tenant_isolation_loyalty_transactions ON retail.loyalty_transactions
    USING (tenant_id = current_setting('app.current_tenant_id', true)::uuid);

-- ============================================================================
-- FIN POLITICAS RLS
-- Total: 16 tablas con RLS habilitado
-- Total: 16 politicas de aislamiento por tenant
-- ============================================================================