LeagueCaddie logoLeagueCaddie
RSRick Shimko
Rick ShimkoCreekwood CastoffsCommissioner
View ProfileMy MoneyRules & PayoutsLeague BoardAdminAI Setup AssistantPlayer ManagementLeague SetupRules EngineLeague FinancesSecurity & Access
Golf & Good TimesWeek 3 OpenBack 9Regular SeasonPrivate Preview ยท mock data
LeagueCaddie markLeagueCaddie
Golf & Good TimesWeek 3 Open
RS

Commissioner Security

Security & Access

A production-readiness map for roles, protected routes, tenant data rules, file storage, and audit expectations.

Back to AdminRules EngineTenant Setup
Route Rules103 commissioner-only
Data Rules5Player, team, finance, rules
Private Buckets4Scorecards, avatars, exports
Launch Blockers1Must clear before hosting

V1 authorization

Role Model

Anonymous
No league access

Can only reach sign-in or future marketing/onboarding pages.

Player
League member

Can view league data, board posts, standings, results, and their own profile details.

Commissioner
League administrator

Can manage setup, players, weeks, scorecards, money, rules, and moderation.

Service
Server-only automation

Reserved for extraction jobs, exports, and trusted server-side writes.

Required before web-facing launch

Production Gate

review
Authentication provider selected

Supabase Auth or another provider needs to become the source of user sessions.

Owner: security
blocked
Tenant and role policies

Database RLS must enforce tenant_id, commissioner access, and player-owned content before public hosting.

Owner: security
ready
Active rules profile

Golf & Good Times scoring, gross skins, and payout settings are represented in the active profile.

Owner: commissioner
ready
Real roster loaded

Active players, substitutes, and commissioner access are represented in mock data.

Owner: commissioner
review
Private file storage

Scorecard images, avatars, and exports need private tenant-scoped storage buckets.

Owner: security

Route access map

Protected Routes

RouteAudienceReason
/dashboardauthenticatedLeague home requires a signed-in player or commissioner.
/weeks/*authenticatedScores and results are league-member content.
/standingsauthenticatedLeague standings are visible to signed-in league members.
/moneyauthenticatedMoney visibility is role-aware after sign-in.
/boardauthenticatedLeague discussion is member-only.
/players/*authenticatedProfiles show league-member identity and stats.
/admin/*commissionerSetup, scoring, finance, and rules management are commissioner-only.
/admin/weeks/*/scorecardscommissionerPrintable scorecards are generated by commissioners.
/admin/weeks/*/scorecard-capturecommissionerUploaded scorecard review posts official scoring data.
/api/scorecard-extraction/*serviceFuture extraction jobs should run with server-side service credentials only.

RLS policy intent

Data Access Rules

League schedule, standings, score results, and board postspublic league

Players: Signed-in league members can read visible league records.

Commissioners: Commissioners can read and moderate all visible league records.

Player contact, profile, and avatar detailsown player

Players: Players can update their own avatar and limited contact details.

Commissioners: Commissioners can update player status, substitute flags, contact cleanup, and admin access.

Team identity and weekly participationteam member

Players: Either rostered player can update team logo/details and indicate substitute needs.

Commissioners: Commissioners can manage all teams and weekly assignments.

Financial transactionscommissioner only

Players: Golf & Good Times currently allows league-visible finance summaries, but player payment edits remain locked.

Commissioners: Commissioners can record payments, adjustments, skins opt-ins, and payouts.

Rules profiles, tenant feature flags, and audit logscommissioner only

Players: Players can read member-facing active rules only.

Commissioners: Commissioners can draft and activate tenant-scoped rules with audit history.

Private files

Storage Access Rules

scorecard-imagescommissioner only

Uploads: Commissioners only

Original scorecard uploads should be private, tenant-scoped, and linked from review/audit pages.

player-avatarsown player

Uploads: Owning player or commissioner

Images should be square-cropped and readable by signed-in league members.

team-logosteam member

Uploads: Rostered team member or commissioner

Either player on the team can update the logo; commissioner can moderate/remove.

exportscommissioner only

Uploads: Server-side export job

Generated PDFs should expire or be regenerated rather than stored publicly forever.

Trust layer

Audit Trail Expectations

RequiredRules profile activationRecord who activated it, what changed, and which season/week snapshot uses it.
RequiredScorecard extraction correctionsRecord original image, extracted values, edited values, confidence, and commissioner note.
RequiredFinancial adjustmentsRecord payment, payout, retroactive skins opt-in, and manual correction reasons.
RecommendedBoard moderationSoft-delete and lock actions should record moderator and timestamp.