From 3f39b24aa57b0511d72e5694f6df7467ed1c9c77 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Wed, 20 May 2026 10:34:08 +0000
Subject: [PATCH] Drop permissive festival-assets storage write policies

The festival-logo migration created INSERT/UPDATE/DELETE policies gated
only on auth.role() = 'authenticated', which OR-combined with the later
admin-only policies and let any authenticated user write festival assets.

https://claude.ai/code/session_01DXGpafRd5ytK6UTuKFNrQH
---
 .../20260520000000_fix_festival_assets_rls_policies.sql   | 8 ++++++++
 1 file changed, 8 insertions(+)
 create mode 100644 supabase/migrations/20260520000000_fix_festival_assets_rls_policies.sql

diff --git a/supabase/migrations/20260520000000_fix_festival_assets_rls_policies.sql b/supabase/migrations/20260520000000_fix_festival_assets_rls_policies.sql
new file mode 100644
index 00000000..5eb32596
--- /dev/null
+++ b/supabase/migrations/20260520000000_fix_festival_assets_rls_policies.sql
@@ -0,0 +1,8 @@
+-- Fix festival-assets storage RLS: drop permissive write policies that allowed
+-- any authenticated user to upload/update/delete festival logos.
+-- Postgres ORs permissive policies together, so these bypassed the intended
+-- admin-only restriction added by "Admins can ... festival assets".
+
+DROP POLICY IF EXISTS "Allow authenticated users to upload festival logos" ON storage.objects;
+DROP POLICY IF EXISTS "Allow users to update their festival logos" ON storage.objects;
+DROP POLICY IF EXISTS "Allow users to delete festival logos" ON storage.objects;