Skip to content

Restrict upsert_version_meta execute rights#1713

Merged
riderx merged 6 commits into
mainfrom
riderx/fix-version-metrics
Mar 3, 2026
Merged

Restrict upsert_version_meta execute rights#1713
riderx merged 6 commits into
mainfrom
riderx/fix-version-metrics

Conversation

@riderx
Copy link
Copy Markdown
Member

@riderx riderx commented Feb 27, 2026
edited by coderabbitai Bot
Loading

Summary (AI generated)

  • Kept the security fix in supabase/migrations/20260227000000_harden_upsert_version_meta.sql and limited it to privilege changes only.
  • Removed execute permissions for anon and authenticated on public.upsert_version_meta.
  • Granted execute permission only to service_role.
  • Did not change upsert_version_meta logic/body.

Motivation (AI generated)

The user requested execution hardening without modifying the function implementation, so this keeps the risk reduction focused on access control.

Business Impact (AI generated)

Only service-level contexts can invoke upsert_version_meta, preventing unauthenticated or non-service callers from writing to public.version_meta through this RPC and reducing metrics integrity risk.

Test Plan (AI generated)

  • Run bun lint:backend.
  • Verify migration applies cleanly in a migration-run environment.
  • Confirm RPC execute rights: anon and authenticated are revoked, and service_role is granted.

Generated with AI

Summary by CodeRabbit

  • Chores
    • Updated database access controls to restrict function permissions to authorized service roles only.

@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai Bot commented Feb 27, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6103e84 and feae2c0.

📒 Files selected for processing (1)
  • supabase/migrations/20260227010000_restrict_upsert_version_meta_exec.sql
📝 Walkthrough

Walkthrough

This pull request introduces a database migration that restricts function access permissions. The migration revokes all privileges on the public.upsert_version_meta() function from the anon and authenticated roles, then grants EXECUTE permission exclusively to the service_role.

Changes

Cohort / File(s) Summary
Database Migration
supabase/migrations/20260227010000_restrict_upsert_version_meta_exec.sql		 Revokes function privileges from public roles and restricts execution to service_role only, implementing access control for the version metadata upsert function.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 A function locked tight with a key,
Only service_role holds the decree,
No anon, no auth shall pass through,
Permissions refined, all secure and true!
Hoppy migrations, so tidy and neat! 🔐

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Description check ⚠️ Warning The description covers the Summary section with context, but lacks a proper Test Plan section with clear testing steps and does not follow the template structure with required sections. Reorganize the description to match the template: add Summary, Test Plan (with checkbox items), Screenshots (marked as skippable for backend), and Checklist sections in the specified format.
✅ Passed checks (2 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly and concisely describes the main change: restricting execute rights on the upsert_version_meta function through privilege revocation and granting.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch riderx/fix-version-metrics

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 SQLFluff (4.0.4)
supabase/migrations/20260227010000_restrict_upsert_version_meta_exec.sql

User Error: No dialect was specified. You must configure a dialect or specify one on the command line using --dialect after the command. Available dialects:
ansi, athena, bigquery, clickhouse, databricks, db2, doris, duckdb, exasol, flink, greenplum, hive, impala, mariadb, materialize, mysql, oracle, postgres, redshift, snowflake, soql, sparksql, sqlite, starrocks, teradata, trino, tsql, vertica

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@riderx riderx changed the title Harden upsert_version_meta RPC auth path Restrict upsert_version_meta execute rights Mar 3, 2026
@riderx riderx force-pushed the riderx/fix-version-metrics branch from 78efd24 to feae2c0 Compare March 3, 2026 13:01
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Mar 3, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@riderx riderx merged commit bcf161f into main Mar 3, 2026
14 of 15 checks passed
@riderx riderx deleted the riderx/fix-version-metrics branch March 3, 2026 13:14
@coderabbitai coderabbitai Bot mentioned this pull request Mar 13, 2026
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@riderx