fix: land unique open-PR queue onto current main#808
Merged
Supabase / Supabase Preview
failed
Jul 18, 2026 in 1m 27s
Supabase Preview
ERROR: Unsafe supabase_admin default privileges; migration blocked. (SQLSTATE 42501)
{"safe": false, "entries": ["function:PUBLIC:execute", "function:anon:execute", "function:authenticated:execute", "function:postgres:execute", "function:service_role:execute", "function:supabase_admin:execute", "sequence:anon:select", "sequence:anon:update", "sequence:anon:usage", "sequence:authenticated:select", "sequence:authenticated:update", "sequence:authenticated:usage", "sequence:postgres:select", "sequence:postgres:update", "sequence:postgres:usage", "sequence:service_role:select", "sequence:service_role:update", "sequence:service_role:usage", "sequence:supabase_admin:usage", "table:anon:delete", "table:anon:insert", "table:anon:maintain", "table:anon:references", "table:anon:select", "table:anon:trigger", "table:anon:truncate", "table:anon:update", "table:authenticated:delete", "table:authenticated:insert", "table:authenticated:maintain", "table:authenticated:references", "table:authenticated:select", "table:authenticated:trigger", "table:authenticated:truncate", "table:authenticated:update", "table:postgres:delete", "table:postgres:insert", "table:postgres:maintain", "table:postgres:references", "table:postgres:select", "table:postgres:trigger", "table:postgres:truncate", "table:postgres:update", "table:service_role:delete", "table:service_role:insert", "table:service_role:maintain", "table:service_role:references", "table:service_role:select", "table:service_role:trigger", "table:service_role:truncate", "table:service_role:update", "table:supabase_admin:delete", "table:supabase_admin:insert", "table:supabase_admin:maintain", "table:supabase_admin:references", "table:supabase_admin:select", "table:supabase_admin:trigger", "table:supabase_admin:truncate", "table:supabase_admin:update"], "role_exists": true, "schema_exists": true}
At statement: 3
do $$
declare
v_status jsonb;
begin
if not exists (select 1 from pg_catalog.pg_roles where rolname = 'supabase_admin') then
raise notice 'role supabase_admin does not exist; default-privilege assertion is not applicable';
return;
end if;
begin
-- Local/Superuser-capable environments can assume the target role even
-- when the migration role cannot use ALTER DEFAULT PRIVILEGES FOR ROLE
-- directly. Hosted environments that cannot assume it fall through to the
-- catalog assertion and block with operator instructions.
execute 'set local role supabase_admin';
-- Revokes must be global: per-schema ACLs cannot subtract privileges from
-- built-in or previously granted global defaults.
alter default privileges for role supabase_admin
revoke all privileges on tables from public, anon, authenticated, service_role;
alter default privileges for role supabase_admin in schema public
revoke all privileges on tables from public, anon, authenticated, service_role;
alter default privileges for role supabase_admin
revoke all privileges on sequences from public, anon, authenticated, service_role;
alter default privileges for role supabase_admin in schema public
revoke all privileges on sequences from public, anon, authenticated, service_role;
alter default privileges for role supabase_admin
revoke execute on functions from public, anon, authenticated, service_role;
alter default privileges for role supabase_admin in schema public
revoke execute on functions from public, anon, authenticated, service_role;
alter default privileges for role supabase_admin in schema public
grant select, insert, update, delete on tables to service_role;
alter default privileges for role supabase_admin in schema public
grant usage, select on sequences to service_role;
alter default privileges for role supabase_admin in schema public
grant execute on functions to service_role;
execute 'reset role';
exception when insufficient_privilege then
begin execute 'reset role'; exception when others then null; end;
raise notice 'current role % cannot remediate supabase_admin default privileges; asserting the catalog postcondition', current_user;
end;
v_status := public.default_privileges_status('supabase_admin', 'public');
if not coalesce((v_status->>'safe')::boolean, false) then
raise exception using
errcode = '42501',
message = 'Unsafe supabase_admin default privileges; migration blocked.',
detail = v_status::text,
hint = E'Run these six statements as supabase_admin, then retry the migration:\n'
'DO $remediate$ BEGIN ALTER DEFAULT PRIVILEGES FOR ROLE supabase_admin REVOKE ALL PRIVILEGES ON TABLES FROM PUBLIC, anon, authenticated, service_role; ALTER DEFAULT PRIVILEGES FOR ROLE supabase_admin IN SCHEMA public REVOKE ALL PRIVILEGES ON TABLES FROM PUBLIC, anon, authenticated, service_role; END $remediate$;\n'
'DO $remediate$ BEGIN ALTER DEFAULT PRIVILEGES FOR ROLE supabase_admin REVOKE ALL PRIVILEGES ON SEQUENCES FROM PUBLIC, anon, authenticated, service_role; ALTER DEFAULT PRIVILEGES FOR ROLE supabase_admin IN SCHEMA public REVOKE ALL PRIVILEGES ON SEQUENCES FROM PUBLIC, anon, authenticated, service_role; END $remediate$;\n'
'DO $remediate$ BEGIN ALTER DEFAULT PRIVILEGES FOR ROLE supabase_admin REVOKE EXECUTE ON FUNCTIONS FROM PUBLIC, anon, authenticated, service_role; ALTER DEFAULT PRIVILEGES FOR ROLE supabase_admin IN SCHEMA public REVOKE EXECUTE ON FUNCTIONS FROM PUBLIC, anon, authenticated, service_role; END $remediate$;\n'
'ALTER DEFAULT PRIVILEGES FOR ROLE supabase_admin IN SCHEMA public GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO service_role;\n'
'ALTER DEFAULT PRIVILEGES FOR ROLE supabase_admin IN SCHEMA public GRANT USAGE, SELECT ON SEQUENCES TO service_role;\n'
'ALTER DEFAULT PRIVILEGES FOR ROLE supabase_admin IN SCHEMA public GRANT EXECUTE ON FUNCTIONS TO service_role;';
end if;
end;
$$
Loading