capstone-prototype/supabase/schema.sql at main · happymukande/capstone-prototype · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
create extension if not exists pgcrypto;

create schema if not exists private;
revoke all on schema private from public;
grant usage on schema private to authenticated;

-- Shared timestamp trigger utility.
create or replace function public.set_updated_at_timestamp()
returns trigger
language plpgsql
as $$
begin
  new.updated_at = timezone('utc', now());
  return new;
end;
$$;

-- Role assignments for authenticated users.
-- Roles: student, teacher, admin.
create table if not exists public.app_user_roles (
  user_id uuid primary key references auth.users(id) on delete cascade,
  role text not null check (role in ('student', 'teacher', 'admin')),
  created_at timestamptz not null default timezone('utc', now()),
  updated_at timestamptz not null default timezone('utc', now())
);

drop trigger if exists trg_app_user_roles_updated_at on public.app_user_roles;
create trigger trg_app_user_roles_updated_at
before update on public.app_user_roles
for each row
execute function public.set_updated_at_timestamp();

alter table public.app_user_roles enable row level security;

-- Keep security-definer helpers out of public/exposed schemas.
create or replace function private.has_app_role(required_roles text[])
returns boolean
language sql
stable
security definer
set search_path = public, auth, pg_temp
as $$
  select
    (select auth.uid()) is not null
    and exists (
      select 1
      from public.app_user_roles aur
      where aur.user_id = (select auth.uid())
        and aur.role = any(required_roles)
    );
$$;

revoke all on function private.has_app_role(text[]) from public;
grant execute on function private.has_app_role(text[]) to authenticated;

-- Optional but useful: every new auth user gets a default student role.
create or replace function private.handle_new_user_default_role()
returns trigger
language plpgsql
security definer
set search_path = public, auth, pg_temp
as $$
begin
  insert into public.app_user_roles (user_id, role)
  values (new.id, 'student')
  on conflict (user_id) do nothing;

  return new;
end;
$$;

drop trigger if exists trg_handle_new_user_default_role on auth.users;
create trigger trg_handle_new_user_default_role
after insert on auth.users
for each row
execute function private.handle_new_user_default_role();

revoke all on table public.app_user_roles from anon;
grant select, insert, update, delete on table public.app_user_roles to authenticated;

drop policy if exists "read_own_or_admin_user_role" on public.app_user_roles;
create policy "read_own_or_admin_user_role"
  on public.app_user_roles
  for select
  to authenticated
  using (
    user_id = (select auth.uid())
    or (select private.has_app_role(array['admin']))
  );

drop policy if exists "admin_insert_user_role" on public.app_user_roles;
create policy "admin_insert_user_role"
  on public.app_user_roles
  for insert
  to authenticated
  with check ((select private.has_app_role(array['admin'])));

drop policy if exists "admin_update_user_role" on public.app_user_roles;
create policy "admin_update_user_role"
  on public.app_user_roles
  for update
  to authenticated
  using ((select private.has_app_role(array['admin'])))
  with check ((select private.has_app_role(array['admin'])));

drop policy if exists "admin_delete_user_role" on public.app_user_roles;
create policy "admin_delete_user_role"
  on public.app_user_roles
  for delete
  to authenticated
  using ((select private.has_app_role(array['admin'])));

-- Progress sync table used by the mobile client.
create table if not exists public.user_progress (
  user_id text primary key,
  progress_map jsonb not null default '{}'::jsonb,
  gamification_state jsonb not null default '{}'::jsonb,
  updated_at timestamptz not null default timezone('utc', now())
);

alter table public.user_progress
  add column if not exists gamification_state jsonb not null default '{}'::jsonb;

drop trigger if exists trg_user_progress_updated_at on public.user_progress;
create trigger trg_user_progress_updated_at
before update on public.user_progress
for each row
execute function public.set_updated_at_timestamp();

alter table public.user_progress enable row level security;

revoke all on table public.user_progress from anon;
grant select, insert, update, delete on table public.user_progress to authenticated;

drop policy if exists "read_own_or_staff_user_progress" on public.user_progress;
create policy "read_own_or_staff_user_progress"
  on public.user_progress
  for select
  to authenticated
  using (
    user_id = (select auth.uid())::text
    or (select private.has_app_role(array['teacher', 'admin']))
  );

drop policy if exists "insert_own_or_staff_user_progress" on public.user_progress;
create policy "insert_own_or_staff_user_progress"
  on public.user_progress
  for insert
  to authenticated
  with check (
    user_id = (select auth.uid())::text
    or (select private.has_app_role(array['teacher', 'admin']))
  );

drop policy if exists "update_own_or_staff_user_progress" on public.user_progress;
create policy "update_own_or_staff_user_progress"
  on public.user_progress
  for update
  to authenticated
  using (
    user_id = (select auth.uid())::text
    or (select private.has_app_role(array['teacher', 'admin']))
  )
  with check (
    user_id = (select auth.uid())::text
    or (select private.has_app_role(array['teacher', 'admin']))
  );

drop policy if exists "admin_delete_user_progress" on public.user_progress;
create policy "admin_delete_user_progress"
  on public.user_progress
  for delete
  to authenticated
  using ((select private.has_app_role(array['admin'])));

-- Curriculum content table for teacher-managed lessons.
-- lecture_notes and quizzes are JSON arrays aligned with the app shape.
create table if not exists public.lesson_content (
  id text primary key,
  title text not null,
  description text not null default '',
  status text not null default 'draft'
    check (status in ('draft', 'published', 'archived')),
  duration_minutes integer not null default 20
    check (duration_minutes > 0),
  audience text not null default 'secondary-school',
  tags text[] not null default '{}'::text[],
  lecture_notes jsonb not null default '[]'::jsonb,
  quizzes jsonb not null default '[]'::jsonb,
  created_by uuid references auth.users(id) on delete set null,
  created_at timestamptz not null default timezone('utc', now()),
  updated_at timestamptz not null default timezone('utc', now())
);

alter table public.lesson_content
  add column if not exists created_by uuid references auth.users(id) on delete set null;

create index if not exists idx_lesson_content_status on public.lesson_content(status);
create index if not exists idx_lesson_content_updated_at on public.lesson_content(updated_at desc);
create index if not exists idx_lesson_content_created_by on public.lesson_content(created_by);

create or replace function private.set_lesson_content_creator()
returns trigger
language plpgsql
set search_path = public, auth, pg_temp
as $$
begin
  if tg_op = 'INSERT' then
    if new.created_by is null then
      new.created_by = auth.uid();
    end if;
  elsif tg_op = 'UPDATE' then
    new.created_by = old.created_by;
  end if;

  return new;
end;
$$;

drop trigger if exists trg_lesson_content_set_creator on public.lesson_content;
create trigger trg_lesson_content_set_creator
before insert or update on public.lesson_content
for each row
execute function private.set_lesson_content_creator();

drop trigger if exists trg_lesson_content_updated_at on public.lesson_content;
create trigger trg_lesson_content_updated_at
before update on public.lesson_content
for each row
execute function public.set_updated_at_timestamp();

alter table public.lesson_content enable row level security;

revoke all on table public.lesson_content from anon;
grant select on table public.lesson_content to anon;
grant select, insert, update, delete on table public.lesson_content to authenticated;

-- Public can only read published lessons.
drop policy if exists "read_published_lesson_content" on public.lesson_content;
create policy "read_published_lesson_content"
  on public.lesson_content
  for select
  to anon, authenticated
  using (status = 'published');

-- Teachers/admins can read all lessons including draft/archived.
drop policy if exists "staff_read_all_lesson_content" on public.lesson_content;
create policy "staff_read_all_lesson_content"
  on public.lesson_content
  for select
  to authenticated
  using ((select private.has_app_role(array['teacher', 'admin'])));

drop policy if exists "teacher_or_admin_insert_lesson_content" on public.lesson_content;
create policy "teacher_or_admin_insert_lesson_content"
  on public.lesson_content
  for insert
  to authenticated
  with check (
    (select private.has_app_role(array['teacher', 'admin']))
    and (
      created_by is null
      or created_by = (select auth.uid())
    )
  );

drop policy if exists "teacher_or_admin_update_lesson_content" on public.lesson_content;
create policy "teacher_or_admin_update_lesson_content"
  on public.lesson_content
  for update
  to authenticated
  using ((select private.has_app_role(array['teacher', 'admin'])))
  with check ((select private.has_app_role(array['teacher', 'admin'])));

drop policy if exists "admin_delete_lesson_content" on public.lesson_content;
create policy "admin_delete_lesson_content"
  on public.lesson_content
  for delete
  to authenticated
  using ((select private.has_app_role(array['admin'])));

-- Bootstrap example:
-- Upgrade a specific user after signup created their default 'student' role row.
-- insert into public.app_user_roles (user_id, role)
-- values ('<auth-user-uuid>', 'teacher')
-- on conflict (user_id) do update set role = excluded.role;