initial commit

This commit is contained in:
ray
2026-07-12 10:01:39 -04:00
commit fc8290d668
185 changed files with 38831 additions and 0 deletions
@@ -0,0 +1,39 @@
/// <reference path="../pb_data/types.d.ts" />
//
// M13 — API rules for the users collection.
//
// Previously the users collection had no migration-applied rules (see M4
// comment at line 14-15). Without list/view rules, any authenticated user
// could enumerate all accounts including shop owner emails and display
// names.
//
// This migration restricts users to seeing only their own record:
// listRule = 'id = @request.auth.id'
// viewRule = 'id = @request.auth.id'
//
// Create, Update, and Delete rules remain as default (admin-only) —
// self-registration is handled by the frontend signup flow, and profile
// updates use the PB auth endpoints or admin UI.
migrate(
(db) => {
const col = db.findCollectionByNameOrId('users');
if (!col) {
console.warn('[M13] users collection not found — skipping');
return;
}
col.listRule = 'id = @request.auth.id';
col.viewRule = 'id = @request.auth.id';
db.save(col);
console.log('[M13] applied user-scoped rules to users collection');
},
(db) => {
// On rollback: clear the rules back to empty (fallback to admin-only access).
const col = db.findCollectionByNameOrId('users');
if (!col) return;
col.listRule = '';
col.viewRule = '';
db.save(col);
}
);