fix(security): enable RLS on pinballmap_catalog (PP-kblc)#1595
Open
timothyfroehlich wants to merge 1 commit into
Open
fix(security): enable RLS on pinballmap_catalog (PP-kblc)#1595timothyfroehlich wants to merge 1 commit into
timothyfroehlich wants to merge 1 commit into
Conversation
Supabase security advisor flagged the table as rls_disabled_in_public (ERROR) — it's exposed to PostgREST with zero row-level security. Every other public table got RLS-enabled-zero-policy treatment in migration 0034; this one was added later (0045, PBM integration) and was missed. No policies needed: it's a read-only local mirror of PinballMap's public catalog, and app code accesses it via Drizzle superuser (bypasses RLS). Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Contributor
There was a problem hiding this comment.
Pull request overview
Enables Row Level Security (RLS) on public.pinballmap_catalog to close a Supabase Security Advisor finding (rls_disabled_in_public) and align this table with the project’s existing “RLS enabled, zero policies” posture for public-schema tables.
Changes:
- Enabled RLS for
pinballmap_catalogin the Drizzle schema via.enableRLS(). - Added a generated migration to
ENABLE ROW LEVEL SECURITYonpinballmap_catalog. - Updated Drizzle migration metadata (snapshot + journal) to reflect the new migration and RLS state.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| src/server/db/schema.ts | Marks pinballmap_catalog as RLS-enabled in the Drizzle schema (.enableRLS()). |
| drizzle/0046_clear_bug.sql | Adds migration enabling RLS on pinballmap_catalog. |
| drizzle/meta/0046_snapshot.json | Records updated schema snapshot including pinballmap_catalog.isRLSEnabled = true. |
| drizzle/meta/_journal.json | Registers migration 0046_clear_bug in the Drizzle migration journal. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
public.pinballmap_catalogasrls_disabled_in_public(ERROR level) — RLS is completely off, exposing it to PostgREST with no row-level security at all.pinballmap_catalogwas added later (0045, PBM integration) and was missed..enableRLS()on the table + generated migrationALTER TABLE "pinballmap_catalog" ENABLE ROW LEVEL SECURITY;. No policies added — it's a read-only local mirror of PinballMap's public catalog data, no per-row sensitivity, and app code goes through Drizzle (bypasses RLS) not PostgREST.Test plan
pnpm db:generate— confirmed single-statement migration, no unexpected schema diffpnpm db:migrateon a fresh local DB — applied cleanlypsql:relrowsecurity = tforpinballmap_catalogpnpm run preflight— full check + build + integration, all green (164 passed, 7 skipped, 0 failed)🤖 Generated with Claude Code