Skip to content

fix(db): unblock Supabase Preview — add created_by guard in t25 migration #229

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
adm01-debug merged 4 commits into from
May 15, 2026
Merged

fix(db): unblock Supabase Preview — add created_by guard in t25 migration #229

Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
c5f4e49
fix(db): add ADD COLUMN IF NOT EXISTS created_by guard in t25 migration
adm01-debug May 15, 2026
fa7fdd0
fix(db): wrap t35 ALTER POLICY in DO/EXCEPTION (material_groups idemp…
adm01-debug May 15, 2026
19ed9bb
chore: sync PR #227 fixes into branch (login locator, theme orphan, e…
adm01-debug May 15, 2026
7b31397
fix(db): commit 2 missing migrations applied in prod outside of git
adm01-debug May 15, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions supabase/migrations/20260512000001_t25_fix_auth_rls_initplan.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -321,6 +321,8 @@ EXCEPTION WHEN undefined_table OR undefined_object OR undefined_function THEN NU
END $$;
DO $$
BEGIN
-- Coluna criada em prod fora do git (Lovable Dashboard). Adiciona se faltar para alinhar Preview/Prod.
ALTER TABLE public.custom_kits ADD COLUMN IF NOT EXISTS created_by uuid;

@chatgpt-codex-connector chatgpt-codex-connector Bot May 15, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Prevent forged ownership on kit inserts

Adding created_by as a client-writable nullable column makes the existing ck_insert_self check on the next line effective in fresh databases; an authenticated caller can directly insert a custom_kits row with user_id set to another user's UUID and created_by set to their own UUID, satisfying the OR (created_by = auth.uid()) branch. Because other policies/key paths use user_id to select/manage kits, this lets one user create records under another user's ownership unless the column is server-populated or the policy also requires user_id = auth.uid().

Useful? React with 👍 / 👎.

@chatgpt-codex-connector chatgpt-codex-connector Bot May 15, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Move the schema repair outside the policy guard

When ck_insert_self is absent in a database built from these migrations (repo-wide search only finds ALTER POLICY entries for that policy), the following ALTER POLICY raises undefined_object; the handler catches it, but PostgreSQL rolls back statements already executed in that protected block, so this ADD COLUMN is undone and the fresh schema still does not contain the documented created_by column. Put the column creation in its own block before the best-effort policy alteration so the schema repair persists even when the policy does not exist.

Useful? React with 👍 / 👎.

@chatgpt-codex-connector chatgpt-codex-connector Bot May 15, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Populate created_by or exclude it from ownership audit

The daily ownership-audit RPC scans every UUID owner column named created_by and counts WHERE created_by IS NULL as an issue, while the existing custom_kits insert paths only send user_id and never populate this new nullable column. On fresh environments this makes every kit created through the app appear as a null-owner violation in ownership_audit_reports even though user_id is present, so either backfill/default this column from user_id or keep custom_kits.created_by out of that audit.

Useful? React with 👍 / 👎.

ALTER POLICY "ck_insert_self" ON public."custom_kits" WITH CHECK (((user_id = (SELECT auth.uid())) OR (created_by = (SELECT auth.uid()))));
EXCEPTION WHEN undefined_table OR undefined_object OR undefined_function THEN NULL;
END $$;
Expand Down
Loading