zaid.marzguioui/myeasycms-v2
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix RLS Policy for Storage preventing non-uuid file names (#57)

Browse Source
This commit is contained in:
Giancarlo Buomprisco
2024-08-30 20:39:10 +08:00
committed by GitHub
parent 94d0c1607d
commit e23489d308
2 changed files with 53 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
apps/web/supabase/migrations/20221215192558_schema.sql
View File

@@ -2722,25 +2722,22 @@ grant
execute on function kit.get_storage_filename_as_uuid (text) to authenticated, execute on function kit.get_storage_filename_as_uuid (text) to authenticated,
service_role; service_role;
-- RLS policies for storage -- RLS policies for storage bucket account_image
create policy account_image on storage.objects for all using ( create policy account_image on storage.objects for all using (
bucket_id = 'account_image' bucket_id = 'account_image'
and kit.get_storage_filename_as_uuid (name) = ( and (
select kit.get_storage_filename_as_uuid(name) = auth.uid()
auth.uid ()
)
or public.has_role_on_account(kit.get_storage_filename_as_uuid(name)) or public.has_role_on_account(kit.get_storage_filename_as_uuid(name))
) )
with
check (
bucket_id = 'account_image'
and (kit.get_storage_filename_as_uuid (name) = (
select
auth.uid ()
) )
with check (
bucket_id = 'account_image'
and (
kit.get_storage_filename_as_uuid(name) = auth.uid()
or public.has_permission( or public.has_permission(
auth.uid(), auth.uid(),
kit.get_storage_filename_as_uuid(name), kit.get_storage_filename_as_uuid(name),
'settings.manage' 'settings.manage'
)) )
)
); );

39
apps/web/supabase/tests/database/storage.test.sql
View File

@@ -75,6 +75,45 @@ select lives_ok(
'new row violates row-level security policy for table "objects"' 'new row violates row-level security policy for table "objects"'
); );
set local role postgres;
-- create a new bucket with a custom policy
--
create policy new_custom_bucket_policy on storage.objects for all using (
bucket_id = 'new_bucket'
and auth.uid() = tests.get_supabase_uid('owner')
)
with check (
bucket_id = 'new_bucket'
and auth.uid() = tests.get_supabase_uid('owner')
);
select tests.authenticate_as('owner');
-- insert a new object into the new bucket
--
select lives_ok(
$$ insert into storage.objects ("bucket_id", "metadata", "name", "owner", "owner_id", "version") values
('new_bucket', '{"key": "value"}', 'some name 2', tests.get_supabase_uid('primary_owner'), tests.get_supabase_uid('primary_owner'), 1); $$,
'The primary_owner should be able to insert a new object into the new bucket'
);
-- check the object is inserted
--
select isnt_empty(
$$ select * from storage.objects where bucket_id = 'new_bucket' $$,
'The object should be inserted into the new bucket'
);
-- check other members cannot insert into the new bucket
select tests.authenticate_as('member');
select throws_ok(
$$ insert into storage.objects ("bucket_id", "metadata", "name", "owner", "owner_id", "version") values
('new_bucket', '{"key": "value"}', 'some other name', tests.get_supabase_uid('primary_owner'), tests.get_supabase_uid('primary_owner'), 1); $$,
'new row violates row-level security policy for table "objects"'
);
select select
* *
from from