Skip to content

fix(security): enable RLS on pinballmap_catalog (PP-kblc)#1595

Open
timothyfroehlich wants to merge 1 commit into
mainfrom
fix/pinballmap-catalog-rls-PP-kblc
Open

fix(security): enable RLS on pinballmap_catalog (PP-kblc)#1595
timothyfroehlich wants to merge 1 commit into
mainfrom
fix/pinballmap-catalog-rls-PP-kblc

Conversation

@timothyfroehlich

Copy link
Copy Markdown
Owner

Summary

  • Supabase security advisor flags public.pinballmap_catalog as rls_disabled_in_public (ERROR level) — RLS is completely off, exposing it to PostgREST with no row-level security at all.
  • Every other public table got RLS-enabled-zero-policy treatment in migration 0034 (app accesses via Drizzle superuser, bypassing RLS; PostgREST/anon callers get empty sets). pinballmap_catalog was added later (0045, PBM integration) and was missed.
  • Fix mirrors the 0034 pattern exactly: .enableRLS() on the table + generated migration ALTER TABLE "pinballmap_catalog" ENABLE ROW LEVEL SECURITY;. No policies added — it's a read-only local mirror of PinballMap's public catalog data, no per-row sensitivity, and app code goes through Drizzle (bypasses RLS) not PostgREST.

Test plan

  • pnpm db:generate — confirmed single-statement migration, no unexpected schema diff
  • pnpm db:migrate on a fresh local DB — applied cleanly
  • Verified via psql: relrowsecurity = t for pinballmap_catalog
  • pnpm run preflight — full check + build + integration, all green (164 passed, 7 skipped, 0 failed)

🤖 Generated with Claude Code

Supabase security advisor flagged the table as rls_disabled_in_public
(ERROR) — it's exposed to PostgREST with zero row-level security. Every
other public table got RLS-enabled-zero-policy treatment in migration
0034; this one was added later (0045, PBM integration) and was missed.
No policies needed: it's a read-only local mirror of PinballMap's public
catalog, and app code accesses it via Drizzle superuser (bypasses RLS).

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings July 2, 2026 19:20
@vercel

vercel Bot commented Jul 2, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
pin-point Ready Ready Preview, Comment Jul 2, 2026 7:21pm

Request Review

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Enables Row Level Security (RLS) on public.pinballmap_catalog to close a Supabase Security Advisor finding (rls_disabled_in_public) and align this table with the project’s existing “RLS enabled, zero policies” posture for public-schema tables.

Changes:

  • Enabled RLS for pinballmap_catalog in the Drizzle schema via .enableRLS().
  • Added a generated migration to ENABLE ROW LEVEL SECURITY on pinballmap_catalog.
  • Updated Drizzle migration metadata (snapshot + journal) to reflect the new migration and RLS state.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.

File Description
src/server/db/schema.ts Marks pinballmap_catalog as RLS-enabled in the Drizzle schema (.enableRLS()).
drizzle/0046_clear_bug.sql Adds migration enabling RLS on pinballmap_catalog.
drizzle/meta/0046_snapshot.json Records updated schema snapshot including pinballmap_catalog.isRLSEnabled = true.
drizzle/meta/_journal.json Registers migration 0046_clear_bug in the Drizzle migration journal.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants