From efd5e629e710dc922a1dd1a7e7eaaa597c0a2d52 Mon Sep 17 00:00:00 2001
From: roshanraj9136 <roshanraj9136@gmail.com>
Date: Sat, 13 Jun 2026 01:42:59 +0530
Subject: [PATCH] security(rls): restrict courses/professors UPDATE to admin
 only

The UPDATE policies on courses and professors used USING (true) WITH
CHECK (true), allowing any authenticated user to modify any course or
professor record (name, ratings, department, etc.).

The comment said 'allow trigger updates' but triggers defined with
SECURITY DEFINER bypass RLS entirely, so the permissive policy only
benefited attackers. Restrict to is_admin() to match INSERT and DELETE
policies.
---
 src/migrations/migration.sql | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/migrations/migration.sql b/src/migrations/migration.sql
index 7d95043..61c8b42 100644
--- a/src/migrations/migration.sql
+++ b/src/migrations/migration.sql
@@ -393,7 +393,7 @@ CREATE POLICY course_insert ON courses
   FOR INSERT WITH CHECK (is_admin());
 
 CREATE POLICY course_update ON courses 
-  FOR UPDATE USING (true) WITH CHECK (true);
+  FOR UPDATE USING (is_admin()) WITH CHECK (is_admin());
 
 CREATE POLICY course_delete ON courses 
   FOR DELETE USING (is_admin());
@@ -406,7 +406,7 @@ CREATE POLICY professor_insert ON professors
   FOR INSERT WITH CHECK (is_admin());
 
 CREATE POLICY professor_update ON professors 
-  FOR UPDATE USING (true) WITH CHECK (true);
+  FOR UPDATE USING (is_admin()) WITH CHECK (is_admin());
 
 CREATE POLICY professor_delete ON professors 
   FOR DELETE USING (is_admin());