People's Choice LogoPeople's Choice

Documentation

Setup notes for the PeoplesChoice website (Next.js + Supabase), including roles/permissions and blog image uploads.

Quick start

npm install
cp .env.example .env.local
npm run dev

If you ever hit Windows .next cache/lock issues, run:

npm run dev:clean

Environment variables

Put these in .env.local (do not commit secrets). Use .env.example as a template.

Required (Supabase)

  • NEXT_PUBLIC_SUPABASE_URL
  • NEXT_PUBLIC_SUPABASE_ANON_KEY
  • SUPABASE_SERVICE_ROLE_KEY (server-only)

Required (Superadmin page)

  • ADMIN_ACCESS_CODE

Optional

  • OPENAI_API_KEY
  • NEXT_PUBLIC_SITE_URL
  • NEXT_PUBLIC_GA_ID, NEXT_PUBLIC_GA_DEBUG
  • NEXT_PUBLIC_DONATION_URL
  • NEXT_PUBLIC_SUPABASE_EVENT_IMAGES_BUCKET
  • NEXT_PUBLIC_SUPABASE_POST_IMAGES_BUCKET

Supabase setup

Run the SQL files in the Supabase SQL editor to create tables (with RLS enabled):

  • supabase/sql/001_create_posts.sql
  • supabase/sql/002_create_post_likes.sql
  • supabase/sql/003_add_post_views.sql
  • supabase/sql/004_create_events.sql

Storage buckets used by the app (defaults are shown):

  • avatars (dashboard avatars + default bucket for event/post images)
  • Override event bucket with NEXT_PUBLIC_SUPABASE_EVENT_IMAGES_BUCKET
  • Override post bucket with NEXT_PUBLIC_SUPABASE_POST_IMAGES_BUCKET

Roles & permissions

Roles are read from Supabase Auth user_metadata.role.

CEO-equivalent (full access)

  • CEO
  • Software Engineer
  • General Manager

Same as Project Manager

  • Project Manager
  • Chief Researcher
  • Logistics and Procurement Officer
  • Secretary
  • SportX Manager
  • Marketing Manager

The “Project Manager” access group can access CEO features except Staff Management.

Blog post images (upload only)

Blog post creation requires an image file upload (URLs are rejected). Upload is handled server-side using the Supabase service role key.

  • Endpoint: POST /api/posts
  • Content-Type: multipart/form-data
  • Field: image (required file, max 5MB)
  • Author rule: only CEO-equivalent roles can manually set author; otherwise author is forced to the requester’s role.
  • Delete rule: only CEO-equivalent roles can delete posts