Fix RLS Policy for Storage preventing non-uuid file names (#57)
This commit is contained in:
Giancarlo Buomprisco
committed by
GitHub
GitHub
parent
94d0c1607d
commit
e23489d308
@@ -2722,25 +2722,22 @@ grant
|
||||
execute on function kit.get_storage_filename_as_uuid (text) to authenticated,
|
||||
service_role;
|
||||
|
||||
-- RLS policies for storage
|
||||
-- RLS policies for storage bucket account_image
|
||||
create policy account_image on storage.objects for all using (
|
||||
bucket_id = 'account_image'
|
||||
and kit.get_storage_filename_as_uuid (name) = (
|
||||
select
|
||||
auth.uid ()
|
||||
and (
|
||||
kit.get_storage_filename_as_uuid(name) = auth.uid()
|
||||
or public.has_role_on_account(kit.get_storage_filename_as_uuid(name))
|
||||
)
|
||||
or public.has_role_on_account (kit.get_storage_filename_as_uuid (name))
|
||||
)
|
||||
with
|
||||
check (
|
||||
bucket_id = 'account_image'
|
||||
and (kit.get_storage_filename_as_uuid (name) = (
|
||||
select
|
||||
auth.uid ()
|
||||
)
|
||||
or public.has_permission (
|
||||
auth.uid (),
|
||||
kit.get_storage_filename_as_uuid (name),
|
||||
with check (
|
||||
bucket_id = 'account_image'
|
||||
and (
|
||||
kit.get_storage_filename_as_uuid(name) = auth.uid()
|
||||
or public.has_permission(
|
||||
auth.uid(),
|
||||
kit.get_storage_filename_as_uuid(name),
|
||||
'settings.manage'
|
||||
))
|
||||
);
|
||||
)
|
||||
)
|
||||
);
|
||||
@@ -75,6 +75,45 @@ select lives_ok(
|
||||
'new row violates row-level security policy for table "objects"'
|
||||
);
|
||||
|
||||
set local role postgres;
|
||||
|
||||
-- create a new bucket with a custom policy
|
||||
--
|
||||
create policy new_custom_bucket_policy on storage.objects for all using (
|
||||
bucket_id = 'new_bucket'
|
||||
and auth.uid() = tests.get_supabase_uid('owner')
|
||||
)
|
||||
with check (
|
||||
bucket_id = 'new_bucket'
|
||||
and auth.uid() = tests.get_supabase_uid('owner')
|
||||
);
|
||||
|
||||
select tests.authenticate_as('owner');
|
||||
|
||||
-- insert a new object into the new bucket
|
||||
--
|
||||
select lives_ok(
|
||||
$$ insert into storage.objects ("bucket_id", "metadata", "name", "owner", "owner_id", "version") values
|
||||
('new_bucket', '{"key": "value"}', 'some name 2', tests.get_supabase_uid('primary_owner'), tests.get_supabase_uid('primary_owner'), 1); $$,
|
||||
'The primary_owner should be able to insert a new object into the new bucket'
|
||||
);
|
||||
|
||||
-- check the object is inserted
|
||||
--
|
||||
select isnt_empty(
|
||||
$$ select * from storage.objects where bucket_id = 'new_bucket' $$,
|
||||
'The object should be inserted into the new bucket'
|
||||
);
|
||||
|
||||
-- check other members cannot insert into the new bucket
|
||||
select tests.authenticate_as('member');
|
||||
|
||||
select throws_ok(
|
||||
$$ insert into storage.objects ("bucket_id", "metadata", "name", "owner", "owner_id", "version") values
|
||||
('new_bucket', '{"key": "value"}', 'some other name', tests.get_supabase_uid('primary_owner'), tests.get_supabase_uid('primary_owner'), 1); $$,
|
||||
'new row violates row-level security policy for table "objects"'
|
||||
);
|
||||
|
||||
select
|
||||
*
|
||||
from
|
||||
|
||||
Reference in New Issue
Block a user