35 lines
1.3 KiB
SQL
35 lines
1.3 KiB
SQL
-- Security lint remediations
|
|
-- 1) Make view_searchable_tags SECURITY INVOKER (avoid definer semantics)
|
|
create or replace view view_searchable_tags
|
|
with (security_invoker = true) as
|
|
select
|
|
unnest(tags) as tag,
|
|
count(*) as count
|
|
from posts
|
|
where deleted_at is null
|
|
and tags is not null
|
|
and array_length(tags, 1) > 0
|
|
group by unnest(tags)
|
|
order by count desc;
|
|
|
|
-- 2) Enable RLS on notifications with per-user visibility
|
|
alter table if exists notifications enable row level security;
|
|
drop policy if exists "Users can view own notifications" on notifications;
|
|
create policy "Users can view own notifications" on notifications
|
|
for select
|
|
using (user_id = auth.uid());
|
|
|
|
-- Allow inserts/updates/deletes via service role (if your functions need it)
|
|
drop policy if exists "Service role manages notifications" on notifications;
|
|
create policy "Service role manages notifications" on notifications
|
|
for all
|
|
using (auth.role() = 'service_role')
|
|
with check (auth.role() = 'service_role');
|
|
|
|
-- 3) Enforce RLS on spatial_ref_sys unconditionally (run as owner/superuser)
|
|
alter table spatial_ref_sys enable row level security;
|
|
drop policy if exists "Public read spatial_ref_sys" on spatial_ref_sys;
|
|
create policy "Public read spatial_ref_sys" on spatial_ref_sys
|
|
for select
|
|
using (true);
|