Skip to content

fix(rls): Onda 13 — audit_log_gravacao + seo_audit_log admin-only (B-3 ENCERRADA) #207

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
adm01-debug merged 1 commit into from
May 14, 2026
Merged

fix(rls): Onda 13 — audit_log_gravacao + seo_audit_log admin-only (B-3 ENCERRADA) #207

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
61 changes: 61 additions & 0 deletions supabase/migrations/20260514220543_onda13_rls_audit_logs_admin_only.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
-- Onda 13 (B-3 da auditoria pre-prod, 10/mai/2026): fecha 2 audit logs publicamente legiveis.
--
-- CONTEXTO:
-- Auditoria profunda apontou que `audit_log_gravacao` e `seo_audit_log` tinham SELECT
-- liberado para qualquer usuario authenticated, expondo:
-- - `audit_log_gravacao`: usuario, valor_antes, valor_depois de mudancas em
-- tabela_preco_gravacao_oficial — vaza historico de precos e quem alterou.
-- - `seo_audit_log`: historico de auditorias SEO — info interna de melhorias.
--
-- INVESTIGACAO:
-- 1. Frontend (src/) NAO consulta nenhuma das 2 (code_search confirmou — zero matches).
-- 2. Edge functions usam service_role que bypassa RLS, entao a mudanca eh transparente.
-- 3. Sao auditadas apenas via Supabase Dashboard pelo admin.
-- 4. Convencao: is_supervisor_or_above (alinhada com Ondas 5-10).
--
-- MUDANCA:
-- SELECT em ambas restrito a is_supervisor_or_above (dev, admin, supervisor, manager).
-- INSERT continua via triggers SECURITY DEFINER que bypassam RLS.
--
-- ESTADO DA B-3 APOS ESTA MIGRATION:
-- Auditoria pre-prod listou 7 tabelas overly-permissive. Estado final:
-- - audit_log: ja correta (supervisor_or_above) — fechada antes
-- - analytics_events: ja correta (self ou coord) — fechada antes
-- - product_views: ja correta (admin ou seller_id) — fechada antes
-- - search_queries: ja correta (self ou coord) — fechada antes
-- - quote_templates: ja correta (por created_by) — fechada antes
-- - sync_jobs: tabela nao existe mais — N/A
-- - notification_templates: fechada em Onda 8 (PR #199)
-- - audit_log_gravacao (esta migration): supervisor_or_above
-- - seo_audit_log (esta migration): supervisor_or_above
Comment on lines +20 to +30
-- B-3 ENCERRADA.
--
-- APLICADA EM PROD via MCP apply_migration (ADR 0006).

-- ─── audit_log_gravacao ───
DROP POLICY IF EXISTS audit_log_gravacao_read_authenticated ON public.audit_log_gravacao;

@chatgpt-codex-connector chatgpt-codex-connector Bot May 14, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Guard the migration when audit log tables are absent

On Supabase Preview branches that replay supabase/migrations from scratch, this migration will fail before applying because audit_log_gravacao and seo_audit_log are not created anywhere earlier in supabase/migrations (repo-wide rg -i only finds this new file). DROP POLICY IF EXISTS ... ON public.audit_log_gravacao still requires the target relation to exist, so branches/environments without these production-only tables hit undefined_table; wrap these policy changes in table-existence guards as done in the recent migration fixes.

Useful? React with 👍 / 👎.


CREATE POLICY audit_log_gravacao_select_supervisor_or_above
ON public.audit_log_gravacao
FOR SELECT
TO authenticated
USING (
is_supervisor_or_above((SELECT auth.uid()))
);

COMMENT ON POLICY audit_log_gravacao_select_supervisor_or_above ON public.audit_log_gravacao IS
'Onda 13 (B-3): SELECT restrito a supervisor_or_above. Audit log de gravacao expoe usuario/valor_antes/depois e nao deve vazar para vendedores. Service_role (triggers SECDEF) continua bypassando.';

-- ─── seo_audit_log ───
DROP POLICY IF EXISTS auth_read_seo_audit_log ON public.seo_audit_log;

CREATE POLICY seo_audit_log_select_supervisor_or_above
ON public.seo_audit_log
FOR SELECT
TO authenticated
USING (
is_supervisor_or_above((SELECT auth.uid()))
);

COMMENT ON POLICY seo_audit_log_select_supervisor_or_above ON public.seo_audit_log IS
'Onda 13 (B-3): SELECT restrito a supervisor_or_above. Historico de auditoria SEO eh info operacional interna, nao deve ser legivel por vendedores.';
Loading