Restrict chat_threads INSERT to initiator (close rate-limit bypass)

Owner-role inserts skipped thread-initiation limit via OR branch.
App only creates threads as donor/initiator (ChatWindow).

Made-with: Cursor

Author: dnywh

supabase/migrations/20260420120000_chat_thread_rate_limit_and_profile_first_name.sql

@@ -41,12 +41,9 @@ DROP POLICY IF EXISTS "Users can create threads they're involved in" ON public.c
 CREATE POLICY "Users can create threads they're involved in" ON public.chat_threads
   FOR INSERT TO authenticated
   WITH CHECK (
-    (auth.uid() = initiator_id OR auth.uid() = owner_id)
+    auth.uid() = initiator_id
     AND public.check_message_rate_limit(auth.uid())
-    AND (
-      auth.uid() <> initiator_id
-      OR public.check_thread_initiation_rate_limit(auth.uid())
-    )
+    AND public.check_thread_initiation_rate_limit(auth.uid())
   );
 
 

supabase/migrations/20260421121500_chat_threads_insert_initiator_only.sql

@@ -0,0 +1,14 @@
+-- Only the donor/initiator may insert a chat thread (matches ChatWindow.initializeChat).
+-- Previously, owner_id inserts satisfied (auth.uid() <> initiator_id OR rate_limit) without
+-- evaluating the thread-initiation limit. Initiator-only insert applies that limit to everyone
+-- who can create a thread.
+
+DROP POLICY IF EXISTS "Users can create threads they're involved in" ON public.chat_threads;
+
+CREATE POLICY "Users can create threads they're involved in" ON public.chat_threads
+  FOR INSERT TO authenticated
+  WITH CHECK (
+    auth.uid() = initiator_id
+    AND public.check_message_rate_limit(auth.uid())
+    AND public.check_thread_initiation_rate_limit(auth.uid())
+  );