RLS policy for coordinator proxy inserts
epic-proxy-activity-registration-foundation-task-003 — Define a Supabase Row Level Security policy on the activities table that permits INSERT only when the caller holds the coordinator role AND `registered_by` equals `auth.uid()`. Deny updates to `registered_by` and `attributed_to` after creation. Verify the policy blocks peer mentor users from performing proxy inserts.
Acceptance Criteria
Technical Requirements
Execution Context
Tier 1 - 540 tasks
Can start after Tier 0 completes
Implementation Notes
Use `CREATE POLICY ... AS PERMISSIVE ... FOR INSERT ... WITH CHECK (auth.jwt() ->> 'role' = 'coordinator' AND registered_by = auth.uid())`.
For immutability of registered_by and attributed_to, either (a) use a RESTRICTIVE UPDATE policy that checks OLD.registered_by = NEW.registered_by AND OLD.attributed_to = NEW.attributed_to, or (b) revoke UPDATE privilege on those specific columns from the authenticated role and grant it only to service_role. Option (b) is cleaner and more foolproof. Always place the new policy in a numbered Supabase migration file (e.g., 20260330_proxy_rls.sql) so it is version-controlled and reproducible. Confirm that task-001 (which likely creates the activities table or adds the registered_by/attributed_to columns) has been applied before running this migration.
Testing Requirements
Write Supabase integration tests (via supabase-js or REST) using two test JWT tokens: one with role=coordinator and one with role=peer_mentor. Assert INSERT succeeds for coordinator with matching registered_by, fails for coordinator with mismatched registered_by, and fails entirely for peer_mentor. Assert UPDATE on registered_by and attributed_to returns error for all roles. Include these tests in the CI migration validation step.
No Flutter unit tests required for this task — policy lives entirely in the database layer.
The activities table migration adding registered_by and attributed_to columns may conflict with existing RLS policies or FK constraints if the user profile table structure differs from assumptions, blocking all subsequent epics.
Mitigation & Contingency
Mitigation: Review existing activities table schema and RLS policies before writing the migration. Run the migration against a staging database clone first. Write rollback scripts alongside the migration.
Contingency: If migration fails in staging, isolate the conflict with a targeted schema audit, adjust FK references or RLS policy scope, and re-run before touching production.
The RLS policy must filter proxy inserts to the coordinator's chapter scope. If the chapter-scope resolver pattern differs between organisations (multi-chapter coordinators in NHF vs single-chapter in HLF), the policy may be too broad or too restrictive.
Mitigation & Contingency
Mitigation: Design the RLS policy to accept a coordinator's full set of assigned chapter IDs (array) rather than a single chapter_id. Validate the policy against NHF multi-chapter test fixtures during the integration test phase.
Contingency: If the policy is found to be incorrect after deployment, introduce a server-side validation edge function as a safety net while the RLS policy is corrected.
The bulk_register_activities RPC function may time out or cause lock contention when inserting large participant batches (e.g. 40+ peer mentors in a single group session), degrading the user experience.
Mitigation & Contingency
Mitigation: Benchmark the RPC function with 50-participant batches during development. Use unnest-based bulk insert rather than row-by-row PL/pgSQL loops. Set a reasonable statement_timeout.
Contingency: If performance is insufficient, split the client-side submission into chunks of 20 participants with progress feedback, rather than a single RPC call.