Rework student dashboard data path as a SECURITY DEFINER RPC

Replaces `public.assignments_for_student_dashboard` (security_invoker view) with
`public.get_assignments_for_student_dashboard(p_class_id, p_student_profile_id)`,
a SECURITY DEFINER plpgsql function. Per CLAUDE.md ("Prefer Postgres RPCs for
data operations") and Jon's explicit guidance:

  - Authorization is one explicit gate at the top of the function: the caller
    must be either the requested student themselves OR an instructor/grader of
    the requested class. Unauthorized calls raise 42501.
  - `public.user_privileges` RLS is untouched and stays strictly the inlinable
    `(user_id = auth.uid())` only. The recursion trap from earlier drafts
    (function-based or inline-EXISTS policies on user_privileges) is avoided
    entirely because the RPC bypasses RLS by definer privilege.
  - The CTE chain is bounded by the (p_class_id, p_student_profile_id) args,
    so every downstream join is O(assignments) regardless of class size.
  - Defensive cleanup at the top of the migration drops any leftover policies/
    helpers that earlier exploratory iterations may have applied locally
    (DROP ... IF EXISTS — no-op on fresh environments).

Frontend callers updated:
  - app/course/[course_id]/assignments/page.tsx: replaces
    `useList({ resource: "assignments_for_student_dashboard", ... })` with
    `supabase.rpc("get_assignments_for_student_dashboard", { p_class_id, p_student_profile_id })`.
  - hooks/useGradebookWhatIf.tsx: same switch. This also fixes a latent view-as
    bug here (the prior code filtered by `courseController.userId`, which is
    always the real signed-in user, so the gradebook what-if wouldn't have
    matched a viewed-as student's row either).

Types regenerated via `npm run client-local`; the view entry is gone from
SupabaseTypes.d.ts and the new RPC appears under Functions.

All 8 view-as E2E tests (4 specs × chromium + webkit) pass locally.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: jon-bell

app/course/[course_id]/assignments/page.tsx

@@ -6,14 +6,14 @@ import { SelfReviewDueDate } from "@/components/ui/assignment-due-date";
 import Link from "@/components/ui/link";
 import { PageContainer } from "@/components/ui/page-container";
 import { ResponsiveTable } from "@/components/ui/responsive-table";
-import useAuthState from "@/hooks/useAuthState";
 import { useClassProfiles } from "@/hooks/useClassProfiles";
 import { useIdentity } from "@/hooks/useIdentities";
+import { createClient } from "@/utils/supabase/client";
 import { AssignmentGroup, AssignmentGroupMember, Repo } from "@/utils/supabase/DatabaseTypes";
 import { Database } from "@/utils/supabase/SupabaseTypes";
 import { InputGroup } from "@/components/ui/input-group";
 import { Box, EmptyState, Heading, Icon, Input, Skeleton, Stack, Table, Text } from "@chakra-ui/react";
-import { useState } from "react";
+import { useEffect, useState } from "react";
 import { BsSearch } from "react-icons/bs";
 import { TZDate } from "@date-fns/tz";
 import { useList } from "@refinedev/core";
@@ -43,12 +43,8 @@ type AssignmentUnit = {
   group: string;
 };
 
-export type AssignmentsForStudentDashboard = Omit<
-  Database["public"]["Views"]["assignments_for_student_dashboard"]["Row"],
-  "id"
-> & {
-  id: number;
-};
+export type AssignmentsForStudentDashboard =
+  Database["public"]["Functions"]["get_assignments_for_student_dashboard"]["Returns"][number];
 
 function formatLatestSubmissionLabel(assignment: AssignmentsForStudentDashboard): string {
   if (!assignment.submission_id) {
@@ -70,16 +66,11 @@ function formatLatestSubmissionLabel(assignment: AssignmentsForStudentDashboard)
 export default function StudentPage() {
   const { identities } = useIdentity();
   const { course_id } = useParams();
-  const { user } = useAuthState();
   const { role } = useClassProfiles();
   const course = role.classes;
   const [query, setQuery] = useState("");
 
   const private_profile_id = role.private_profile_id;
-  // Use the effective role's user id (not `user?.id`) so the dashboard filter still matches
-  // when an instructor is viewing as a student — `useAuthState` is always the real signed-in
-  // user, while `role` from `useClassProfiles` follows view-as.
-  const effective_user_id = role.user_id;
   const { data: groupsData } = useList<AssignmentGroupMemberWithGroupAndRepo>({
     resource: "assignment_groups_members",
     meta: {
@@ -95,23 +86,40 @@ export default function StudentPage() {
   });
   const groups: AssignmentGroupMemberWithGroupAndRepo[] | null = groupsData?.data ?? null;
 
-  const { data: assignmentsData, isLoading } = useList<AssignmentsForStudentDashboard>({
-    resource: "assignments_for_student_dashboard",
-    filters: [
-      { field: "class_id", operator: "eq", value: course_id },
-      { field: "student_user_id", operator: "eq", value: effective_user_id },
-      { field: "student_profile_id", operator: "eq", value: private_profile_id }
-    ],
-    pagination: {
-      pageSize: 1000
-    },
-    queryOptions: {
-      enabled: !!user && !!private_profile_id
-    },
-    sorters: [{ field: "due_date", order: "desc" }]
-  });
-
-  const assignments = assignmentsData?.data ?? null;
+  // Dashboard data via SECURITY DEFINER RPC. The function checks authorization at the
+  // top (caller is either the student themselves or an instructor/grader of the class)
+  // and returns the student's assignment dashboard rows. Replaces the prior
+  // `useList({ resource: "assignments_for_student_dashboard" })` on a view whose
+  // security_invoker scoping couldn't accommodate the instructor read-only view-as path.
+  const [assignments, setAssignments] = useState<AssignmentsForStudentDashboard[] | null>(null);
+  const [isLoading, setIsLoading] = useState(true);
+  useEffect(() => {
+    if (!course_id || !private_profile_id) {
+      return;
+    }
+    const supabase = createClient();
+    let cancelled = false;
+    setIsLoading(true);
+    supabase
+      .rpc("get_assignments_for_student_dashboard", {
+        p_class_id: Number(course_id),
+        p_student_profile_id: private_profile_id
+      })
+      .then(({ data, error }) => {
+        if (cancelled) return;
+        if (error) {
+          // eslint-disable-next-line no-console
+          console.error("Failed to load assignments dashboard:", error);
+          setAssignments(null);
+        } else {
+          setAssignments(data ?? []);
+        }
+        setIsLoading(false);
+      });
+    return () => {
+      cancelled = true;
+    };
+  }, [course_id, private_profile_id]);
 
   const githubIdentity: UserIdentity | null = identities?.find((identity) => identity.provider === "github") ?? null;
 

hooks/useGradebookWhatIf.tsx

@@ -49,7 +49,8 @@ export type GradebookColumnStudentWithMaxScore = Omit<GradebookColumnStudent, "s
   column_slug: string;
 };
 
-type AssignmentForStudentDashboard = Database["public"]["Views"]["assignments_for_student_dashboard"]["Row"];
+type AssignmentForStudentDashboard =
+  Database["public"]["Functions"]["get_assignments_for_student_dashboard"]["Returns"][number];
 class GradebookWhatIfController {
   private _grades: GradebookWhatIfGradeMap = {};
   public debugID: string = crypto.randomUUID();
@@ -72,14 +73,17 @@ class GradebookWhatIfController {
   }
 
   private initializeGradebookGrades() {
-    //Fetch all assignments for the student with their submissions
+    // Fetch all assignments for the student with their submissions via the SECURITY
+    // DEFINER RPC. The function authorizes at the top (caller is either the student
+    // themselves or an instructor/grader of the class), so this works for the
+    // instructor's read-only view-as path as well — using `this.courseController.userId`
+    // here would otherwise be the real signed-in user, not the effective student.
     const client = createClient();
     client
-      .from("assignments_for_student_dashboard")
-      .select("*")
-      .eq("class_id", this.gradebookController.class_id)
-      .eq("student_user_id", this.courseController.userId)
-      .eq("student_profile_id", this.private_profile_id)
+      .rpc("get_assignments_for_student_dashboard", {
+        p_class_id: this.gradebookController.class_id,
+        p_student_profile_id: this.private_profile_id
+      })
       .then(({ data }) => {
         this._assignments = data ?? [];
       });