From e23489d3086654246a5b797b62a90b9f673ce6c9 Mon Sep 17 00:00:00 2001
From: Giancarlo Buomprisco <giancarlopsk@gmail.com>
Date: Fri, 30 Aug 2024 20:39:10 +0800
Subject: [PATCH] Fix RLS Policy for Storage preventing non-uuid file names
 (#57)

---
 .../migrations/20221215192558_schema.sql      | 31 +++++++--------
 .../supabase/tests/database/storage.test.sql  | 39 +++++++++++++++++++
 2 files changed, 53 insertions(+), 17 deletions(-)

diff --git a/apps/web/supabase/migrations/20221215192558_schema.sql b/apps/web/supabase/migrations/20221215192558_schema.sql
index b113068a5..ab9c2652f 100644
--- a/apps/web/supabase/migrations/20221215192558_schema.sql
+++ b/apps/web/supabase/migrations/20221215192558_schema.sql
@@ -2722,25 +2722,22 @@ grant
 execute on function kit.get_storage_filename_as_uuid (text) to authenticated,
 service_role;
 
--- RLS policies for storage
+-- RLS policies for storage bucket account_image
 create policy account_image on storage.objects for all using (
   bucket_id = 'account_image'
-  and kit.get_storage_filename_as_uuid (name) = (
-    select
-      auth.uid ()
+  and (
+    kit.get_storage_filename_as_uuid(name) = auth.uid()
+    or public.has_role_on_account(kit.get_storage_filename_as_uuid(name))
   )
-  or public.has_role_on_account (kit.get_storage_filename_as_uuid (name))
 )
-with
-  check (
-    bucket_id = 'account_image'
-    and (kit.get_storage_filename_as_uuid (name) = (
-      select
-        auth.uid ()
-    )
-    or public.has_permission (
-      auth.uid (),
-      kit.get_storage_filename_as_uuid (name),
+with check (
+  bucket_id = 'account_image'
+  and (
+    kit.get_storage_filename_as_uuid(name) = auth.uid()
+    or public.has_permission(
+      auth.uid(),
+      kit.get_storage_filename_as_uuid(name),
       'settings.manage'
-    ))
-  );
\ No newline at end of file
+    )
+  )
+);
\ No newline at end of file
diff --git a/apps/web/supabase/tests/database/storage.test.sql b/apps/web/supabase/tests/database/storage.test.sql
index f8f0cde24..0fe521177 100644
--- a/apps/web/supabase/tests/database/storage.test.sql
+++ b/apps/web/supabase/tests/database/storage.test.sql
@@ -75,6 +75,45 @@ select lives_ok(
         'new row violates row-level security policy for table "objects"'
 );
 
+set local role postgres;
+
+-- create a new bucket with a custom policy
+--
+create policy new_custom_bucket_policy on storage.objects for all using (
+  bucket_id = 'new_bucket'
+  and auth.uid() = tests.get_supabase_uid('owner')
+)
+with check (
+  bucket_id = 'new_bucket'
+  and auth.uid() = tests.get_supabase_uid('owner')
+);
+
+select tests.authenticate_as('owner');
+
+-- insert a new object into the new bucket
+--
+select lives_ok(
+    $$ insert into storage.objects ("bucket_id", "metadata", "name", "owner", "owner_id", "version") values
+        ('new_bucket', '{"key": "value"}', 'some name 2', tests.get_supabase_uid('primary_owner'), tests.get_supabase_uid('primary_owner'), 1); $$,
+        'The primary_owner should be able to insert a new object into the new bucket'
+);
+
+-- check the object is inserted
+--
+select isnt_empty(
+    $$ select * from storage.objects where bucket_id = 'new_bucket' $$,
+    'The object should be inserted into the new bucket'
+);
+
+-- check other members cannot insert into the new bucket
+select tests.authenticate_as('member');
+
+select throws_ok(
+    $$ insert into storage.objects ("bucket_id", "metadata", "name", "owner", "owner_id", "version") values
+        ('new_bucket', '{"key": "value"}', 'some other name', tests.get_supabase_uid('primary_owner'), tests.get_supabase_uid('primary_owner'), 1); $$,
+        'new row violates row-level security policy for table "objects"'
+);
+
 select
   *
 from