fix: grant read and delete permissions for invite codes to editors fo…

…r public studies

database/migration/20240718225620_migrate_disable_invite_public_study.sql

@@ -4,7 +4,46 @@
 DROP POLICY "Editors can do everything with study invite codes" ON public.study_invite;
 
 -- Create new policy
--- Editors can do everything with study invite codes if participation is invite
-CREATE POLICY "Editors can do everything with study invite codes if participation is invite" ON public.study_invite USING (( SELECT public.can_edit(auth.uid(), study.*) AS can_edit
+
+-- Name: study_invite Editors can manage their own invite-only study invite codes; Type: POLICY; Schema: public; Owner: postgres
+CREATE POLICY "Editors can manage their own invite-only study invite codes" ON public.study_invite
+USING (
+ (
+   SELECT public.can_edit(auth.uid(), study.*) AS can_edit
    FROM public.study
-  WHERE (study.id = study_invite.study_id AND study.participation = 'invite'::public.participation)));
+   WHERE study.id = study_invite.study_id
+   AND study.participation = 'invite'::public.participation
+ )
+);
+
+--
+-- Name: study_invite Editors can read their own open-study invite codes; Type: POLICY; Schema: public; Owner: postgres
+--
+
+CREATE POLICY "Editors can read their own open-study invite codes"
+ON public.study_invite
+FOR SELECT
+USING (
+ (
+  SELECT public.can_edit(auth.uid(), study.*) AS can_edit
+  FROM public.study
+  WHERE study.id = study_invite.study_id
+  AND study.participation = 'open'::public.participation
+ )
+);
+
+--
+-- Name: study_invite Editors can delete their own open-study invite codes; Type: POLICY; Schema: public; Owner: postgres
+--
+
+CREATE POLICY "Editors can delete their own open-study invite codes"
+ON public.study_invite
+FOR DELETE
+USING (
+  (
+    SELECT public.can_edit(auth.uid(), study.*) AS can_edit
+    FROM public.study
+    WHERE study.id = study_invite.study_id
+    AND study.participation = 'open'::public.participation
+  )
+);

database/studyu-schema.sql

@@ -887,12 +887,50 @@ AND (registry_published = true OR participation = 'open'::public.participation O
 
 
 --
--- Name: study_invite Editors can do everything with study invite codes if participation is invite; Type: POLICY; Schema: public; Owner: postgres
+-- Name: study_invite Editors can manage their own invite-only study invite codes; Type: POLICY; Schema: public; Owner: postgres
 --
 
-CREATE POLICY "Editors can do everything with study invite codes if participation is invite" ON public.study_invite USING (( SELECT public.can_edit(auth.uid(), study.*) AS can_edit
+CREATE POLICY "Editors can manage their own invite-only study invite codes" ON public.study_invite
+USING (
+ (
+   SELECT public.can_edit(auth.uid(), study.*) AS can_edit
    FROM public.study
-  WHERE (study.id = study_invite.study_id AND study.participation = 'invite'::public.participation)));
+   WHERE study.id = study_invite.study_id
+   AND study.participation = 'invite'::public.participation
+ )
+);
+
+--
+-- Name: study_invite Editors can read their own open-study invite codes; Type: POLICY; Schema: public; Owner: postgres
+--
+
+CREATE POLICY "Editors can read their own open-study invite codes"
+ON public.study_invite
+FOR SELECT
+USING (
+ (
+  SELECT public.can_edit(auth.uid(), study.*) AS can_edit
+  FROM public.study
+  WHERE study.id = study_invite.study_id
+  AND study.participation = 'open'::public.participation
+ )
+);
+
+--
+-- Name: study_invite Editors can delete their own open-study invite codes; Type: POLICY; Schema: public; Owner: postgres
+--
+
+CREATE POLICY "Editors can delete their own open-study invite codes"
+ON public.study_invite
+FOR DELETE
+USING (
+  (
+    SELECT public.can_edit(auth.uid(), study.*) AS can_edit
+    FROM public.study
+    WHERE study.id = study_invite.study_id
+    AND study.participation = 'open'::public.participation
+  )
+);
 
 --
 -- Name: study_subject Users can do everything with their subjects; Type: POLICY; Schema: public; Owner: postgres