From 282e7d0528bfd94088bca1544f649087e10efabf Mon Sep 17 00:00:00 2001 From: giancarlo Date: Sun, 28 Apr 2024 14:24:47 +0700 Subject: [PATCH] Update search path in database functions and add new indices The search path in various database functions has been updated to '' for uniformity and security reasons. Additionally, new indices were added for the 'accounts_memberships' and 'invitations' tables to improve database performance. Some references to 'app_permissions' have also been updated to 'public.app_permissions' ensuring proper data access. --- .../migrations/20221215192558_schema.sql | 89 +++++++++---------- 1 file changed, 44 insertions(+), 45 deletions(-) diff --git a/apps/web/supabase/migrations/20221215192558_schema.sql b/apps/web/supabase/migrations/20221215192558_schema.sql index 115c9c298..bdf04e906 100644 --- a/apps/web/supabase/migrations/20221215192558_schema.sql +++ b/apps/web/supabase/migrations/20221215192558_schema.sql @@ -197,7 +197,7 @@ select create or replace function public.get_config () returns json set - search_path = public as $$ + search_path = '' as $$ declare result record; begin @@ -217,7 +217,7 @@ $$ language plpgsql; create or replace function public.trigger_set_timestamps () returns trigger set - search_path = public as $$ + search_path = '' as $$ begin if TG_OP = 'INSERT' then new.created_at = now(); @@ -240,7 +240,7 @@ $$ language plpgsql; create or replace function public.trigger_set_user_tracking () returns trigger set - search_path = public as $$ + search_path = '' as $$ begin if TG_OP = 'INSERT' then new.created_by = auth.uid(); @@ -267,7 +267,7 @@ service_role; create or replace function public.is_set (field_name text) returns boolean set - search_path = public as $$ + search_path = '' as $$ declare result boolean; begin @@ -373,7 +373,7 @@ with create or replace function public.transfer_team_account_ownership (target_account_id uuid, new_owner_id uuid) returns void set - search_path = public as $$ + search_path = '' as $$ begin if current_user not in('service_role') then raise exception 'You do not have permission to transfer account ownership'; @@ -422,7 +422,7 @@ execute on function public.transfer_team_account_ownership (uuid, uuid) to servi create or replace function public.is_account_owner (account_id uuid) returns boolean set - search_path = public as $$ + search_path = '' as $$ select exists( select @@ -456,7 +456,7 @@ begin return NEW; end -$$ language plpgsql; +$$ language plpgsql set search_path = ''; -- trigger to protect account fields create trigger protect_account_fields before @@ -468,7 +468,7 @@ execute function kit.protect_account_fields (); create or replace function public.get_upper_system_role () returns varchar set - search_path = public as $$ + search_path = '' as $$ declare role varchar(50); begin @@ -488,7 +488,7 @@ execute on function public.get_upper_system_role () to service_role; create or replace function kit.add_current_user_to_new_account () returns trigger language plpgsql security definer set - search_path = public as $$ + search_path = '' as $$ begin if new.primary_owner_user_id = auth.uid() then insert into public.accounts_memberships( @@ -517,7 +517,7 @@ execute function kit.add_current_user_to_new_account (); create or replace function kit.handle_update_user_email () returns trigger language plpgsql security definer set - search_path = public as $$ + search_path = '' as $$ begin update public.accounts @@ -566,7 +566,7 @@ select create or replace function kit.get_system_role_uuid () returns uuid set - search_path = public as $$ + search_path = '' as $$ begin return 'fd4f287c-762e-42b7-8207-b1252f799670'; end; $$ language plpgsql immutable; @@ -597,7 +597,7 @@ create index idx_roles_account_id on public.roles (account_id); create or replace function kit.check_non_personal_account_roles () returns trigger set - search_path = public as $$ + search_path = '' as $$ begin if new.account_id is not null and( select @@ -656,8 +656,8 @@ delete on table public.accounts_memberships to service_role; -- Indexes on the accounts_memberships table create index ix_accounts_memberships_account_id on public.accounts_memberships (account_id); - create index ix_accounts_memberships_user_id on public.accounts_memberships (user_id); +create index ix_accounts_memberships_account_role on public.accounts_memberships (account_role); -- Enable RLS on the accounts_memberships table alter table public.accounts_memberships enable row level security; @@ -667,7 +667,7 @@ alter table public.accounts_memberships enable row level security; create or replace function kit.prevent_account_owner_membership_delete () returns trigger set - search_path = public as $$ + search_path = '' as $$ begin if exists( select @@ -699,7 +699,7 @@ or replace function public.has_role_on_account ( account_role varchar(50) default null ) returns boolean language sql security definer set - search_path = public as $$ + search_path = '' as $$ select exists( select @@ -721,7 +721,7 @@ execute on function public.has_role_on_account (uuid, varchar) to authenticated; create or replace function public.is_team_member (account_id uuid, user_id uuid) returns boolean language sql security definer set - search_path = public as $$ + search_path = '' as $$ select exists( select @@ -753,7 +753,7 @@ select create or replace function public.can_action_account_member (target_team_account_id uuid, target_user_id uuid) returns boolean set - search_path = public as $$ + search_path = '' as $$ declare permission_granted boolean; target_user_hierarchy_level int; @@ -781,17 +781,15 @@ begin id = target_team_account_id and primary_owner_user_id = target_user_id) into is_account_owner; - if is_account_owner then raise exception 'The primary account owner cannot be actioned'; end if; - -- validate the auth user has the required permission on the account -- to manage members of the account select public.has_permission(auth.uid(), target_team_account_id, - 'members.manage'::app_permissions) into + 'members.manage'::public.app_permissions) into permission_granted; -- if the user does not have the required permission, raise an exception @@ -864,7 +862,7 @@ select create or replace function public.is_account_team_member (target_account_id uuid) returns boolean set - search_path = public as $$ + search_path = '' as $$ select exists( select 1 from public.accounts_memberships as membership @@ -919,7 +917,7 @@ create table if not exists public.role_permissions ( id bigint generated by default as identity primary key, role varchar(50) references public.roles (name) not null, - permission app_permissions not null, + permission public.app_permissions not null, unique (role, permission) ); @@ -951,10 +949,10 @@ create or replace function public.has_permission ( user_id uuid, account_id uuid, - permission_name app_permissions + permission_name public.app_permissions ) returns boolean set - search_path = public as $$ + search_path = '' as $$ begin return exists( select @@ -986,7 +984,7 @@ or replace function public.has_more_elevated_role ( role_name varchar ) returns boolean set - search_path = public as $$ + search_path = '' as $$ declare declare is_primary_owner boolean; user_role_hierarchy_level int; @@ -1063,7 +1061,7 @@ or replace function public.has_same_role_hierarchy_level ( role_name varchar ) returns boolean set - search_path = public as $$ + search_path = '' as $$ declare is_primary_owner boolean; user_role_hierarchy_level int; @@ -1176,6 +1174,7 @@ comment on column public.invitations.email is 'The email of the user being invit -- Indexes on the invitations table create index ix_invitations_account_id on public.invitations (account_id); +create index ix_invitations_role on public.invitations (role); -- Open up access to invitations table for authenticated users and -- service_role @@ -1195,7 +1194,7 @@ alter table public.invitations enable row level security; create or replace function kit.check_team_account () returns trigger set - search_path = public as $$ + search_path = '' as $$ begin if( select @@ -1239,7 +1238,7 @@ with auth.uid () ), account_id, - 'invites.manage'::app_permissions + 'invites.manage'::public.app_permissions ) and public.has_same_role_hierarchy_level ( ( @@ -1263,7 +1262,7 @@ for update auth.uid () ), account_id, - 'invites.manage'::app_permissions + 'invites.manage'::public.app_permissions ) and public.has_more_elevated_role ( ( @@ -1282,7 +1281,7 @@ with auth.uid () ), account_id, - 'invites.manage'::app_permissions + 'invites.manage'::public.app_permissions ) and public.has_more_elevated_role ( ( @@ -1304,7 +1303,7 @@ create policy invitations_delete on public.invitations for delete to authenticat auth.uid () ), account_id, - 'invites.manage'::app_permissions + 'invites.manage'::public.app_permissions ) ); @@ -1313,7 +1312,7 @@ create policy invitations_delete on public.invitations for delete to authenticat create or replace function accept_invitation (token text, user_id uuid) returns uuid set - search_path = public as $$ + search_path = '' as $$ declare target_account_id uuid; target_role varchar(50); @@ -1518,7 +1517,7 @@ or replace function public.upsert_subscription ( trial_ends_at timestamptz default null ) returns public.subscriptions set - search_path = public as $$ + search_path = '' as $$ declare new_subscription public.subscriptions; new_billing_customer_id int; @@ -1884,7 +1883,7 @@ or replace function public.upsert_order ( line_items jsonb ) returns public.orders set - search_path = public as $$ + search_path = '' as $$ declare new_order public.orders; new_billing_customer_id int; @@ -2013,7 +2012,7 @@ or replace function kit.slugify ("value" text) returns text as $$ "value" from "trimmed"; -$$ language SQL strict immutable; +$$ language SQL strict immutable set search_path to ''; grant execute on function kit.slugify (text) to service_role, @@ -2024,7 +2023,7 @@ authenticated; create or replace function kit.set_slug_from_account_name () returns trigger language plpgsql security definer set - search_path = public as $$ + search_path = '' as $$ declare sql_string varchar; tmp_slug varchar; @@ -2089,7 +2088,7 @@ execute procedure kit.set_slug_from_account_name (); create or replace function kit.setup_new_user () returns trigger language plpgsql security definer set - search_path = public as $$ + search_path = '' as $$ declare user_name text; begin @@ -2137,7 +2136,7 @@ execute procedure kit.setup_new_user (); create or replace function public.create_team_account (account_name text) returns public.accounts set - search_path = public as $$ + search_path = '' as $$ declare new_account public.accounts; begin @@ -2178,7 +2177,7 @@ with create or replace function public.create_invitation (account_id uuid, email text, role varchar(50)) returns public.invitations set - search_path = public as $$ + search_path = '' as $$ declare new_invitation public.invitations; invite_token text; @@ -2276,7 +2275,7 @@ or replace function public.team_account_workspace (account_slug text) returns ta permissions public.app_permissions[] ) set - search_path = public as $$ + search_path = '' as $$ begin return QUERY select @@ -2331,7 +2330,7 @@ or replace function public.get_account_members (account_slug text) returns table updated_at timestamptz ) language plpgsql set - search_path = public as $$ + search_path = '' as $$ begin return QUERY select @@ -2378,7 +2377,7 @@ or replace function public.get_account_invitations (account_slug text) returns t inviter_email varchar ) set - search_path = public as $$ + search_path = '' as $$ begin return query select @@ -2414,7 +2413,7 @@ or replace function public.add_invitations_to_account ( invitations public.invitation[] ) returns public.invitations[] set - search_path = public as $$ + search_path = '' as $$ declare new_invitation public.invitations; all_invitations public.invitations[] := array[]::public.invitations[]; @@ -2464,7 +2463,7 @@ service_role; create or replace function public.has_active_subscription (target_account_id uuid) returns boolean set - search_path = public as $$ + search_path = '' as $$ begin return exists ( select @@ -2495,7 +2494,7 @@ values create or replace function kit.get_storage_filename_as_uuid (name text) returns uuid set - search_path = storage as $$ + search_path = '' as $$ begin return replace(storage.filename(name), concat('.', storage.extension(name)), '')::uuid;