fix(db): enable RLS on tables added since the original RLS migration#332
Merged
Conversation
…ce the original RLS migration The Supabase security advisor flags rls_disabled_in_public (ERROR) on the seven tables created after 20251215090000_enable_rls_disable_postgrest: PendingBot, BotClaimToken, AuditLog, Contact, WalletBotAccess, BotKey, BotUser. ProposalTally and the three notification-center tables would be flagged as soon as they reach production, so they are included too. Same idempotent pattern as the original migration: RLS on, deny-all for anon/authenticated when those roles exist, Prisma service role unaffected. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
The Supabase security advisor reports
rls_disabled_in_public(ERROR level) for seven tables in production:PendingBot,BotClaimToken,AuditLog,Contact,WalletBotAccess,BotKey,BotUser. All were created after20251215090000_enable_rls_disable_postgrest, which enabled RLS + deny-all PostgREST policies on every table that existed at the time — but nothing enforces the pattern for tables added later.This closes the July roadmap item "review the Supabase RLS advisory on the seven rls_enabled:false tables".
What
One follow-up migration in the exact pattern of the original:
ProposalTally(onmain, deploy still pending) and the notification-center tablesWalletSignerNotificationSetting,EmailVerificationToken,NotificationDelivery(currently preprod-only) — 11 total.anon/authenticatedcreated only if those roles exist; tables that don't exist are skipped. Safe on any PostgreSQL, no-op outside Supabase.Advisor reference: rls_disabled_in_public
Note for the deploy
The
ProposalTallymigration from #303 still hasn't been applied to production (the June 17 deploy-migrations run failed pre-Node-22-fix, and nothing has re-triggered it). When this PR eventually reachesmainit will trigger the deploy workflow and apply both. If governance tallies erroring in prod is urgent before then, dispatch Deploy Database Migrations manually onmain.🤖 Generated with Claude Code