fix(online-users): complete fix for RLS policy and org_id sync

Author: eldinmiller

CHANGELOG.md

@@ -2,6 +2,13 @@
 
 All notable changes to BluePLM will be documented in this file.
 
+## [2.9.3] - 2025-12-17
+
+### Fixed
+- **Online users visibility (complete fix)**: Fixed RLS policy that was preventing users from seeing other organization members online. The policy now properly handles NULL org_id comparisons. Added database index on `user_sessions.org_id` for better query performance. Improved session sync to update all sessions unconditionally.
+
+---
+
 ## [2.9.2] - 2025-12-17
 
 ### Added

package.json

@@ -1,6 +1,6 @@
 {
   "name": "blue-plm",
-  "version": "2.9.2",
+  "version": "2.9.3",
   "description": "Product Lifecycle Management for everyone who builds",
   "main": "dist-electron/main.js",
   "scripts": {

src/App.tsx

@@ -3,7 +3,7 @@ import { registerModule, unregisterModule } from '@/lib/telemetry'
 import { usePDMStore } from './stores/pdmStore'
 import { SettingsContent } from './components/SettingsContent'
 import type { SettingsTab } from './types/settings'
-import { supabase, getCurrentSession, isSupabaseConfigured, getFilesLightweight, getCheckedOutUsers, linkUserToOrganization, getUserProfile, setCurrentAccessToken, registerDeviceSession, startSessionHeartbeat, stopSessionHeartbeat, signOut, syncUserSessionsOrgId } from './lib/supabase'
+import { supabase, getCurrentSession, isSupabaseConfigured, getFilesLightweight, getCheckedOutUsers, linkUserToOrganization, getUserProfile, setCurrentAccessToken, registerDeviceSession, startSessionHeartbeat, stopSessionHeartbeat, signOut, syncUserSessionsOrgId, ensureUserOrgId } from './lib/supabase'
 import { subscribeToFiles, subscribeToActivity, subscribeToOrganization, unsubscribeAll } from './lib/realtime'
 import { getBackupStatus, isThisDesignatedMachine, updateHeartbeat } from './lib/backup'
 import { MenuBar } from './components/MenuBar'
@@ -317,6 +317,13 @@ function App() {
         setCurrentAccessToken(session.access_token)
 
         try {
+          // FIRST: Ensure user's org_id is correct in the database
+          // This fixes issues where users have NULL or wrong org_id
+          const orgIdResult = await ensureUserOrgId()
+          if (orgIdResult.fixed) {
+            console.log('[Auth] Fixed user org_id in database')
+          }
+          
           // Fetch user profile from database to get role
           const { profile, error: profileError } = await getUserProfile(session.user.id)
           if (profileError) {
@@ -386,6 +393,13 @@ function App() {
           setCurrentAccessToken(session.access_token)
 
           try {
+            // FIRST: Ensure user's org_id is correct in the database
+            // This fixes issues where users have NULL or wrong org_id
+            const orgIdResult = await ensureUserOrgId()
+            if (orgIdResult.fixed) {
+              console.log('[Auth] Fixed user org_id in database during', event)
+            }
+            
             // Fetch user profile from database to get role
             console.log('[Auth] Fetching user profile...')
             const { profile, error: profileError } = await getUserProfile(session.user.id)
@@ -1965,11 +1979,15 @@ function App() {
 
     // Register this device's session
     // Use user.org_id first, fall back to organization.id if not set
-    const orgIdForSession = user.org_id || usePDMStore.getState().organization?.id || null
+    const orgIdForSession = user.org_id || organization?.id || null
+    console.log('[Session] Registering session with org_id:', orgIdForSession?.substring(0, 8) || 'NULL', 
+      '(user.org_id:', user.org_id?.substring(0, 8) || 'NULL', 
+      ', organization?.id:', organization?.id?.substring(0, 8) || 'NULL', ')')
+    
     registerDeviceSession(user.id, orgIdForSession)
       .then(result => {
         if (result.success) {
-          console.log('[Session] Device session registered')
+          console.log('[Session] Device session registered successfully with org_id:', orgIdForSession?.substring(0, 8) || 'NULL')
           // Start heartbeat to keep session alive
           // Pass callbacks: one for remote sign out, one to get current org_id
           startSessionHeartbeat(

src/lib/supabase.ts

@@ -3957,24 +3957,65 @@ export async function registerDeviceSession(
 
 /**
  * Sync all sessions for a user to use the correct org_id
- * Call this after org is loaded to fix sessions that were created with null org_id
+ * Call this after org is loaded to fix sessions that were created with null or wrong org_id
  */
 export async function syncUserSessionsOrgId(userId: string, orgId: string): Promise<void> {
   const client = getSupabaseClient()
 
   console.log('[Session] Syncing all user sessions to org_id:', orgId?.substring(0, 8) + '...')
 
-  // Update all active sessions for this user to have the correct org_id
-  const { error } = await client
+  // Update ALL active sessions for this user to have the correct org_id
+  // Use unconditional update - simpler and ensures all sessions have correct org_id
+  // The update only affects this user's sessions, so it's safe
+  const { data, error } = await client
     .from('user_sessions')
     .update({ org_id: orgId })
     .eq('user_id', userId)
-    .is('org_id', null)  // Only update sessions with NULL org_id
+    .select('id')
 
   if (error) {
     console.error('[Session] Failed to sync session org_ids:', error.message)
   } else {
-    console.log('[Session] Session org_ids synced successfully')
+    console.log('[Session] Session org_ids synced successfully, updated:', data?.length || 0, 'sessions')
+  }
+}
+
+/**
+ * Ensure the current user has the correct org_id in the database
+ * This calls a database RPC that checks and fixes org_id based on email domain
+ * Should be called on every app boot to prevent org_id mismatch issues
+ */
+export async function ensureUserOrgId(): Promise<{ success: boolean; fixed: boolean; org_id?: string; error?: string }> {
+  const client = getSupabaseClient()
+  
+  console.log('[Auth] Ensuring user org_id is correct...')
+  
+  try {
+    const { data, error } = await client.rpc('ensure_user_org_id' as never)
+    
+    if (error) {
+      // RPC might not exist yet (before migration runs)
+      console.warn('[Auth] ensure_user_org_id RPC failed (run migration if not done):', error.message)
+      return { success: false, fixed: false, error: error.message }
+    }
+    
+    const result = data as { success: boolean; fixed: boolean; org_id?: string; previous_org_id?: string; new_org_id?: string; error?: string }
+    
+    if (result.fixed) {
+      console.log('[Auth] Fixed user org_id:', result.previous_org_id?.substring(0, 8) + '... ->', result.new_org_id?.substring(0, 8) + '...')
+    } else {
+      console.log('[Auth] User org_id is correct:', result.org_id?.substring(0, 8) + '...')
+    }
+    
+    return { 
+      success: result.success, 
+      fixed: result.fixed, 
+      org_id: result.new_org_id || result.org_id,
+      error: result.error
+    }
+  } catch (err) {
+    console.error('[Auth] ensureUserOrgId failed:', err)
+    return { success: false, fixed: false, error: String(err) }
   }
 }
 
@@ -4232,24 +4273,29 @@ export async function getOrgOnlineUsers(orgId: string): Promise<{ users: OnlineU
   // Get sessions active within the last 5 minutes
   const fiveMinutesAgo = new Date(Date.now() - 5 * 60 * 1000).toISOString()
 
-  console.log('[OnlineUsers] Fetching online users for org:', orgId, 'since:', fiveMinutesAgo)
+  console.log('[OnlineUsers] Fetching online users for org:', orgId?.substring(0, 8) + '...', 'since:', fiveMinutesAgo)
 
-  // First, let's debug by fetching ALL active sessions for this org (without RLS filtering)
+  // First, let's debug by fetching ALL active sessions visible to current user (RLS applies)
+  // This helps diagnose if the RLS policy is working correctly
   const { data: debugData, error: debugError } = await client
     .from('user_sessions')
     .select('user_id, org_id, machine_name, is_active, last_seen')
     .eq('is_active', true)
     .gte('last_seen', fiveMinutesAgo)
 
-  console.log('[OnlineUsers] DEBUG - All active sessions visible to current user:', 
-    debugData?.map(s => ({ 
-      user_id: s.user_id?.substring(0, 8), 
-      org_id: s.org_id?.substring(0, 8) || 'NULL',
-      machine: s.machine_name,
-      last_seen: s.last_seen
-    })) || [], 
-    'Error:', debugError?.message || 'none'
-  )
+  console.log('[OnlineUsers] DEBUG - All active sessions visible to current user (RLS filtered):', 
+    debugData?.length || 0, 'sessions')
+  if (debugData && debugData.length > 0) {
+    debugData.forEach(s => {
+      console.log('[OnlineUsers]   -', s.machine_name, 
+        '| user:', s.user_id?.substring(0, 8) + '...',
+        '| org:', s.org_id?.substring(0, 8) || 'NULL',
+        '| last_seen:', new Date(s.last_seen).toLocaleTimeString())
+    })
+  }
+  if (debugError) {
+    console.error('[OnlineUsers] DEBUG query error:', debugError.message)
+  }
 
   const { data, error } = await client
     .from('user_sessions')
@@ -4310,6 +4356,8 @@ export function subscribeToOrgOnlineUsers(
 ): () => void {
   const client = getSupabaseClient()
 
+  console.log('[OnlineUsers] Subscribing to realtime updates for org:', orgId?.substring(0, 8) + '...')
+  
   const channel = client
     .channel(`org_sessions:${orgId}`)
     .on<UserSession>(
@@ -4320,15 +4368,22 @@ export function subscribeToOrgOnlineUsers(
         table: 'user_sessions',
         filter: `org_id=eq.${orgId}`
       },
-      async () => {
+      async (payload) => {
+        console.log('[OnlineUsers] Realtime event received:', payload.eventType, 
+          '| user:', (payload.new as UserSession)?.user_id?.substring(0, 8) || (payload.old as UserSession)?.user_id?.substring(0, 8) || 'unknown')
+        
         // When any org session changes, fetch all online users
         const { users } = await getOrgOnlineUsers(orgId)
+        console.log('[OnlineUsers] Refreshed online users after realtime event:', users.length)
         onUsersChange(users)
       }
     )
-    .subscribe()
+    .subscribe((status) => {
+      console.log('[OnlineUsers] Subscription status:', status)
+    })
 
   return () => {
+    console.log('[OnlineUsers] Unsubscribing from realtime updates for org:', orgId?.substring(0, 8) + '...')
     channel.unsubscribe()
   }
 }

supabase/diagnose_odoo_visibility.sql

@@ -0,0 +1,54 @@
+-- Quick diagnostic for Odoo config visibility issue
+-- Run this in Supabase SQL editor to identify the problem
+
+-- 1. Show the Odoo config that exists but isn't loading
+SELECT 
+  osc.id,
+  osc.name,
+  osc.url,
+  osc.org_id as config_org_id,
+  o.name as config_org_name
+FROM odoo_saved_configs osc
+JOIN organizations o ON osc.org_id = o.id
+WHERE osc.name = 'BR Production Server'  -- The config name from the error
+   OR osc.name ILIKE '%production%';     -- Or similar
+
+-- 2. Show all users and their org_ids
+SELECT 
+  email,
+  role,
+  org_id as user_org_id,
+  (SELECT name FROM organizations WHERE id = users.org_id) as org_name
+FROM users
+ORDER BY email;
+
+-- 3. Quick visibility check - do ANY users have matching org_id?
+SELECT 
+  osc.name as config_name,
+  osc.org_id as config_org_id,
+  COUNT(*) FILTER (WHERE u.org_id = osc.org_id) as users_who_can_see,
+  COUNT(*) FILTER (WHERE u.org_id IS NULL) as users_with_null_org,
+  COUNT(*) FILTER (WHERE u.org_id != osc.org_id AND u.org_id IS NOT NULL) as users_with_different_org
+FROM odoo_saved_configs osc
+CROSS JOIN users u
+WHERE osc.is_active = true
+GROUP BY osc.id, osc.name, osc.org_id;
+
+-- 4. If the problem is NULL org_ids, fix them:
+-- (Run this to see what WOULD be fixed)
+SELECT 
+  u.email,
+  u.org_id as current_org_id,
+  o.id as should_be_org_id,
+  o.name as org_name
+FROM users u
+JOIN organizations o ON SPLIT_PART(u.email, '@', 2) = ANY(o.email_domains)
+WHERE u.org_id IS NULL OR u.org_id != o.id;
+
+-- 5. THE FIX: Update users to correct org_id based on email domain
+UPDATE users u
+SET org_id = o.id
+FROM organizations o
+WHERE SPLIT_PART(u.email, '@', 2) = ANY(o.email_domains)
+  AND (u.org_id IS NULL OR u.org_id != o.id);
+