zaid.marzguioui/myeasycms-v2
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update search path in database functions and add new indices

Browse Source 
The search path in various database functions has been updated to '' for uniformity and security reasons. Additionally, new indices were added for the 'accounts_memberships' and 'invitations' tables to improve database performance. Some references to 'app_permissions' have also been updated to 'public.app_permissions' ensuring proper data access.
This commit is contained in:
giancarlo
2024-04-28 14:24:47 +07:00
parent c11168a8c7
commit 282e7d0528
1 changed files with 44 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

89
apps/web/supabase/migrations/20221215192558_schema.sql
View File

@@ -197,7 +197,7 @@ select
create create
or replace function public.get_config () returns json or replace function public.get_config () returns json
set set
search_path = public as $$ search_path = '' as $$
declare declare
result record; result record;
begin begin
@@ -217,7 +217,7 @@ $$ language plpgsql;
create create
or replace function public.trigger_set_timestamps () returns trigger or replace function public.trigger_set_timestamps () returns trigger
set set
search_path = public as $$ search_path = '' as $$
begin begin
if TG_OP = 'INSERT' then if TG_OP = 'INSERT' then
new.created_at = now(); new.created_at = now();
@@ -240,7 +240,7 @@ $$ language plpgsql;
create create
or replace function public.trigger_set_user_tracking () returns trigger or replace function public.trigger_set_user_tracking () returns trigger
set set
search_path = public as $$ search_path = '' as $$
begin begin
if TG_OP = 'INSERT' then if TG_OP = 'INSERT' then
new.created_by = auth.uid(); new.created_by = auth.uid();
@@ -267,7 +267,7 @@ service_role;
create create
or replace function public.is_set (field_name text) returns boolean or replace function public.is_set (field_name text) returns boolean
set set
search_path = public as $$ search_path = '' as $$
declare declare
result boolean; result boolean;
begin begin
@@ -373,7 +373,7 @@ with
create create
or replace function public.transfer_team_account_ownership (target_account_id uuid, new_owner_id uuid) returns void or replace function public.transfer_team_account_ownership (target_account_id uuid, new_owner_id uuid) returns void
set set
search_path = public as $$ search_path = '' as $$
begin begin
if current_user not in('service_role') then if current_user not in('service_role') then
raise exception 'You do not have permission to transfer account ownership'; raise exception 'You do not have permission to transfer account ownership';
@@ -422,7 +422,7 @@ execute on function public.transfer_team_account_ownership (uuid, uuid) to servi
create create
or replace function public.is_account_owner (account_id uuid) returns boolean or replace function public.is_account_owner (account_id uuid) returns boolean
set set
search_path = public as $$ search_path = '' as $$
select select
exists( exists(
select select
@@ -456,7 +456,7 @@ begin
return NEW; return NEW;
end end
$$ language plpgsql; $$ language plpgsql set search_path = '';
-- trigger to protect account fields -- trigger to protect account fields
create trigger protect_account_fields before create trigger protect_account_fields before
@@ -468,7 +468,7 @@ execute function kit.protect_account_fields ();
create create
or replace function public.get_upper_system_role () returns varchar or replace function public.get_upper_system_role () returns varchar
set set
search_path = public as $$ search_path = '' as $$
declare declare
role varchar(50); role varchar(50);
begin begin
@@ -488,7 +488,7 @@ execute on function public.get_upper_system_role () to service_role;
create create
or replace function kit.add_current_user_to_new_account () returns trigger language plpgsql security definer or replace function kit.add_current_user_to_new_account () returns trigger language plpgsql security definer
set set
search_path = public as $$ search_path = '' as $$
begin begin
if new.primary_owner_user_id = auth.uid() then if new.primary_owner_user_id = auth.uid() then
insert into public.accounts_memberships( insert into public.accounts_memberships(
@@ -517,7 +517,7 @@ execute function kit.add_current_user_to_new_account ();
create create
or replace function kit.handle_update_user_email () returns trigger language plpgsql security definer or replace function kit.handle_update_user_email () returns trigger language plpgsql security definer
set set
search_path = public as $$ search_path = '' as $$
begin begin
update update
public.accounts public.accounts
@@ -566,7 +566,7 @@ select
create create
or replace function kit.get_system_role_uuid () returns uuid or replace function kit.get_system_role_uuid () returns uuid
set set
search_path = public as $$ search_path = '' as $$
begin begin
return 'fd4f287c-762e-42b7-8207-b1252f799670'; return 'fd4f287c-762e-42b7-8207-b1252f799670';
end; $$ language plpgsql immutable; end; $$ language plpgsql immutable;
@@ -597,7 +597,7 @@ create index idx_roles_account_id on public.roles (account_id);
create create
or replace function kit.check_non_personal_account_roles () returns trigger or replace function kit.check_non_personal_account_roles () returns trigger
set set
search_path = public as $$ search_path = '' as $$
begin begin
if new.account_id is not null and( if new.account_id is not null and(
select select
@@ -656,8 +656,8 @@ delete on table public.accounts_memberships to service_role;
-- Indexes on the accounts_memberships table -- Indexes on the accounts_memberships table
create index ix_accounts_memberships_account_id on public.accounts_memberships (account_id); create index ix_accounts_memberships_account_id on public.accounts_memberships (account_id);
create index ix_accounts_memberships_user_id on public.accounts_memberships (user_id); create index ix_accounts_memberships_user_id on public.accounts_memberships (user_id);
create index ix_accounts_memberships_account_role on public.accounts_memberships (account_role);
-- Enable RLS on the accounts_memberships table -- Enable RLS on the accounts_memberships table
alter table public.accounts_memberships enable row level security; alter table public.accounts_memberships enable row level security;
@@ -667,7 +667,7 @@ alter table public.accounts_memberships enable row level security;
create create
or replace function kit.prevent_account_owner_membership_delete () returns trigger or replace function kit.prevent_account_owner_membership_delete () returns trigger
set set
search_path = public as $$ search_path = '' as $$
begin begin
if exists( if exists(
select select
@@ -699,7 +699,7 @@ or replace function public.has_role_on_account (
account_role varchar(50) default null account_role varchar(50) default null
) returns boolean language sql security definer ) returns boolean language sql security definer
set set
search_path = public as $$ search_path = '' as $$
select select
exists( exists(
select select
@@ -721,7 +721,7 @@ execute on function public.has_role_on_account (uuid, varchar) to authenticated;
create create
or replace function public.is_team_member (account_id uuid, user_id uuid) returns boolean language sql security definer or replace function public.is_team_member (account_id uuid, user_id uuid) returns boolean language sql security definer
set set
search_path = public as $$ search_path = '' as $$
select select
exists( exists(
select select
@@ -753,7 +753,7 @@ select
create create
or replace function public.can_action_account_member (target_team_account_id uuid, target_user_id uuid) returns boolean or replace function public.can_action_account_member (target_team_account_id uuid, target_user_id uuid) returns boolean
set set
search_path = public as $$ search_path = '' as $$
declare declare
permission_granted boolean; permission_granted boolean;
target_user_hierarchy_level int; target_user_hierarchy_level int;
@@ -781,17 +781,15 @@ begin
id = target_team_account_id id = target_team_account_id
and primary_owner_user_id = target_user_id) into is_account_owner; and primary_owner_user_id = target_user_id) into is_account_owner;
if is_account_owner then if is_account_owner then
raise exception 'The primary account owner cannot be actioned'; raise exception 'The primary account owner cannot be actioned';
end if; end if;
-- validate the auth user has the required permission on the account -- validate the auth user has the required permission on the account
-- to manage members of the account -- to manage members of the account
select select
public.has_permission(auth.uid(), target_team_account_id, public.has_permission(auth.uid(), target_team_account_id,
'members.manage'::app_permissions) into 'members.manage'::public.app_permissions) into
permission_granted; permission_granted;
-- if the user does not have the required permission, raise an exception -- if the user does not have the required permission, raise an exception
@@ -864,7 +862,7 @@ select
create create
or replace function public.is_account_team_member (target_account_id uuid) returns boolean or replace function public.is_account_team_member (target_account_id uuid) returns boolean
set set
search_path = public as $$ search_path = '' as $$
select exists( select exists(
select 1 select 1
from public.accounts_memberships as membership from public.accounts_memberships as membership
@@ -919,7 +917,7 @@ create table if not exists
public.role_permissions ( public.role_permissions (
id bigint generated by default as identity primary key, id bigint generated by default as identity primary key,
role varchar(50) references public.roles (name) not null, role varchar(50) references public.roles (name) not null,
permission app_permissions not null, permission public.app_permissions not null,
unique (role, permission) unique (role, permission)
); );
@@ -951,10 +949,10 @@ create
or replace function public.has_permission ( or replace function public.has_permission (
user_id uuid, user_id uuid,
account_id uuid, account_id uuid,
permission_name app_permissions permission_name public.app_permissions
) returns boolean ) returns boolean
set set
search_path = public as $$ search_path = '' as $$
begin begin
return exists( return exists(
select select
@@ -986,7 +984,7 @@ or replace function public.has_more_elevated_role (
role_name varchar role_name varchar
) returns boolean ) returns boolean
set set
search_path = public as $$ search_path = '' as $$
declare declare
declare is_primary_owner boolean; declare is_primary_owner boolean;
user_role_hierarchy_level int; user_role_hierarchy_level int;
@@ -1063,7 +1061,7 @@ or replace function public.has_same_role_hierarchy_level (
role_name varchar role_name varchar
) returns boolean ) returns boolean
set set
search_path = public as $$ search_path = '' as $$
declare declare
is_primary_owner boolean; is_primary_owner boolean;
user_role_hierarchy_level int; user_role_hierarchy_level int;
@@ -1176,6 +1174,7 @@ comment on column public.invitations.email is 'The email of the user being invit
-- Indexes on the invitations table -- Indexes on the invitations table
create index ix_invitations_account_id on public.invitations (account_id); create index ix_invitations_account_id on public.invitations (account_id);
create index ix_invitations_role on public.invitations (role);
-- Open up access to invitations table for authenticated users and -- Open up access to invitations table for authenticated users and
-- service_role -- service_role
@@ -1195,7 +1194,7 @@ alter table public.invitations enable row level security;
create create
or replace function kit.check_team_account () returns trigger or replace function kit.check_team_account () returns trigger
set set
search_path = public as $$ search_path = '' as $$
begin begin
if( if(
select select
@@ -1239,7 +1238,7 @@ with
auth.uid () auth.uid ()
), ),
account_id, account_id,
'invites.manage'::app_permissions 'invites.manage'::public.app_permissions
) )
and public.has_same_role_hierarchy_level ( and public.has_same_role_hierarchy_level (
( (
@@ -1263,7 +1262,7 @@ for update
auth.uid () auth.uid ()
), ),
account_id, account_id,
'invites.manage'::app_permissions 'invites.manage'::public.app_permissions
) )
and public.has_more_elevated_role ( and public.has_more_elevated_role (
( (
@@ -1282,7 +1281,7 @@ with
auth.uid () auth.uid ()
), ),
account_id, account_id,
'invites.manage'::app_permissions 'invites.manage'::public.app_permissions
) )
and public.has_more_elevated_role ( and public.has_more_elevated_role (
( (
@@ -1304,7 +1303,7 @@ create policy invitations_delete on public.invitations for delete to authenticat
auth.uid () auth.uid ()
), ),
account_id, account_id,
'invites.manage'::app_permissions 'invites.manage'::public.app_permissions
) )
); );
@@ -1313,7 +1312,7 @@ create policy invitations_delete on public.invitations for delete to authenticat
create create
or replace function accept_invitation (token text, user_id uuid) returns uuid or replace function accept_invitation (token text, user_id uuid) returns uuid
set set
search_path = public as $$ search_path = '' as $$
declare declare
target_account_id uuid; target_account_id uuid;
target_role varchar(50); target_role varchar(50);
@@ -1518,7 +1517,7 @@ or replace function public.upsert_subscription (
trial_ends_at timestamptz default null trial_ends_at timestamptz default null
) returns public.subscriptions ) returns public.subscriptions
set set
search_path = public as $$ search_path = '' as $$
declare declare
new_subscription public.subscriptions; new_subscription public.subscriptions;
new_billing_customer_id int; new_billing_customer_id int;
@@ -1884,7 +1883,7 @@ or replace function public.upsert_order (
line_items jsonb line_items jsonb
) returns public.orders ) returns public.orders
set set
search_path = public as $$ search_path = '' as $$
declare declare
new_order public.orders; new_order public.orders;
new_billing_customer_id int; new_billing_customer_id int;
@@ -2013,7 +2012,7 @@ or replace function kit.slugify ("value" text) returns text as $$
"value" "value"
from from
"trimmed"; "trimmed";
$$ language SQL strict immutable; $$ language SQL strict immutable set search_path to '';
grant grant
execute on function kit.slugify (text) to service_role, execute on function kit.slugify (text) to service_role,
@@ -2024,7 +2023,7 @@ authenticated;
create create
or replace function kit.set_slug_from_account_name () returns trigger language plpgsql security definer or replace function kit.set_slug_from_account_name () returns trigger language plpgsql security definer
set set
search_path = public as $$ search_path = '' as $$
declare declare
sql_string varchar; sql_string varchar;
tmp_slug varchar; tmp_slug varchar;
@@ -2089,7 +2088,7 @@ execute procedure kit.set_slug_from_account_name ();
create create
or replace function kit.setup_new_user () returns trigger language plpgsql security definer or replace function kit.setup_new_user () returns trigger language plpgsql security definer
set set
search_path = public as $$ search_path = '' as $$
declare declare
user_name text; user_name text;
begin begin
@@ -2137,7 +2136,7 @@ execute procedure kit.setup_new_user ();
create create
or replace function public.create_team_account (account_name text) returns public.accounts or replace function public.create_team_account (account_name text) returns public.accounts
set set
search_path = public as $$ search_path = '' as $$
declare declare
new_account public.accounts; new_account public.accounts;
begin begin
@@ -2178,7 +2177,7 @@ with
create create
or replace function public.create_invitation (account_id uuid, email text, role varchar(50)) returns public.invitations or replace function public.create_invitation (account_id uuid, email text, role varchar(50)) returns public.invitations
set set
search_path = public as $$ search_path = '' as $$
declare declare
new_invitation public.invitations; new_invitation public.invitations;
invite_token text; invite_token text;
@@ -2276,7 +2275,7 @@ or replace function public.team_account_workspace (account_slug text) returns ta
permissions public.app_permissions[] permissions public.app_permissions[]
) )
set set
search_path = public as $$ search_path = '' as $$
begin begin
return QUERY return QUERY
select select
@@ -2331,7 +2330,7 @@ or replace function public.get_account_members (account_slug text) returns table
updated_at timestamptz updated_at timestamptz
) language plpgsql ) language plpgsql
set set
search_path = public as $$ search_path = '' as $$
begin begin
return QUERY return QUERY
select select
@@ -2378,7 +2377,7 @@ or replace function public.get_account_invitations (account_slug text) returns t
inviter_email varchar inviter_email varchar
) )
set set
search_path = public as $$ search_path = '' as $$
begin begin
return query return query
select select
@@ -2414,7 +2413,7 @@ or replace function public.add_invitations_to_account (
invitations public.invitation[] invitations public.invitation[]
) returns public.invitations[] ) returns public.invitations[]
set set
search_path = public as $$ search_path = '' as $$
declare declare
new_invitation public.invitations; new_invitation public.invitations;
all_invitations public.invitations[] := array[]::public.invitations[]; all_invitations public.invitations[] := array[]::public.invitations[];
@@ -2464,7 +2463,7 @@ service_role;
create create
or replace function public.has_active_subscription (target_account_id uuid) returns boolean or replace function public.has_active_subscription (target_account_id uuid) returns boolean
set set
search_path = public as $$ search_path = '' as $$
begin begin
return exists ( return exists (
select select
@@ -2495,7 +2494,7 @@ values
create create
or replace function kit.get_storage_filename_as_uuid (name text) returns uuid or replace function kit.get_storage_filename_as_uuid (name text) returns uuid
set set
search_path = storage as $$ search_path = '' as $$
begin begin
return replace(storage.filename(name), concat('.', return replace(storage.filename(name), concat('.',
storage.extension(name)), '')::uuid; storage.extension(name)), '')::uuid;