Skip to content

Commit 36abab8

Browse files
sweatybridgesweatybridge
committed
chore: update grants for webhooks
1 parent 6b2e5d1 commit 36abab8

File tree

2 files changed

+24
-31
lines changed

2 files changed

+24
-31
lines changed

docker/volumes/db/roles.sql

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,4 +4,5 @@
44
ALTER USER authenticator WITH PASSWORD :'pgpass';
55
ALTER USER pgbouncer WITH PASSWORD :'pgpass';
66
ALTER USER supabase_auth_admin WITH PASSWORD :'pgpass';
7+
ALTER USER supabase_functions_admin WITH PASSWORD :'pgpass';
78
ALTER USER supabase_storage_admin WITH PASSWORD :'pgpass';

docker/volumes/db/webhooks.sql

Lines changed: 23 additions & 31 deletions
Original file line numberDiff line numberDiff line change
@@ -2,11 +2,11 @@ BEGIN;
22
-- Create pg_net extension
33
CREATE EXTENSION IF NOT EXISTS pg_net SCHEMA extensions;
44
-- Create supabase_functions schema
5-
CREATE SCHEMA if not exists supabase_functions;
6-
GRANT USAGE ON SCHEMA supabase_functions TO postgres;
7-
ALTER DEFAULT PRIVILEGES IN SCHEMA supabase_functions GRANT ALL ON TABLES TO postgres;
8-
ALTER DEFAULT PRIVILEGES IN SCHEMA supabase_functions GRANT ALL ON FUNCTIONS TO postgres;
9-
ALTER DEFAULT PRIVILEGES IN SCHEMA supabase_functions GRANT ALL ON SEQUENCES TO postgres;
5+
CREATE SCHEMA supabase_functions AUTHORIZATION supabase_admin;
6+
GRANT USAGE ON SCHEMA supabase_functions TO postgres, anon, authenticated, service_role;
7+
ALTER DEFAULT PRIVILEGES IN SCHEMA supabase_functions GRANT ALL ON TABLES TO postgres, anon, authenticated, service_role;
8+
ALTER DEFAULT PRIVILEGES IN SCHEMA supabase_functions GRANT ALL ON FUNCTIONS TO postgres, anon, authenticated, service_role;
9+
ALTER DEFAULT PRIVILEGES IN SCHEMA supabase_functions GRANT ALL ON SEQUENCES TO postgres, anon, authenticated, service_role;
1010
-- supabase_functions.migrations definition
1111
CREATE TABLE supabase_functions.migrations (
1212
version text PRIMARY KEY,
@@ -41,29 +41,29 @@ BEGIN;
4141
IF url IS NULL OR url = 'null' THEN
4242
RAISE EXCEPTION 'url argument is missing';
4343
END IF;
44-
44+
4545
IF method IS NULL OR method = 'null' THEN
4646
RAISE EXCEPTION 'method argument is missing';
4747
END IF;
48-
48+
4949
IF TG_ARGV[2] IS NULL OR TG_ARGV[2] = 'null' THEN
5050
headers = '{"Content-Type": "application/json"}'::jsonb;
5151
ELSE
5252
headers = TG_ARGV[2]::jsonb;
5353
END IF;
54-
54+
5555
IF TG_ARGV[3] IS NULL OR TG_ARGV[3] = 'null' THEN
5656
params = '{}'::jsonb;
5757
ELSE
5858
params = TG_ARGV[3]::jsonb;
5959
END IF;
60-
60+
6161
IF TG_ARGV[4] IS NULL OR TG_ARGV[4] = 'null' THEN
6262
timeout_ms = 1000;
6363
ELSE
6464
timeout_ms = TG_ARGV[4]::integer;
6565
END IF;
66-
66+
6767
CASE
6868
WHEN method = 'GET' THEN
6969
SELECT http_get INTO request_id FROM net.http_get(
@@ -74,13 +74,13 @@ BEGIN;
7474
);
7575
WHEN method = 'POST' THEN
7676
payload = jsonb_build_object(
77-
'old_record', OLD,
78-
'record', NEW,
77+
'old_record', OLD,
78+
'record', NEW,
7979
'type', TG_OP,
8080
'table', TG_TABLE_NAME,
8181
'schema', TG_TABLE_SCHEMA
8282
);
83-
83+
8484
SELECT http_post INTO request_id FROM net.http_post(
8585
url,
8686
payload,
@@ -91,12 +91,12 @@ BEGIN;
9191
ELSE
9292
RAISE EXCEPTION 'method argument % is invalid', method;
9393
END CASE;
94-
94+
9595
INSERT INTO supabase_functions.hooks
9696
(hook_table_id, hook_name, request_id)
9797
VALUES
9898
(TG_RELID, TG_NAME, request_id);
99-
99+
100100
RETURN NEW;
101101
END
102102
$function$;
@@ -148,19 +148,15 @@ BEGIN;
148148
WHERE extname = 'pg_net'
149149
)
150150
THEN
151-
GRANT USAGE ON SCHEMA net TO supabase_functions_admin, postgres;
151+
GRANT USAGE ON SCHEMA net TO supabase_functions_admin, postgres, anon, authenticated, service_role;
152152
ALTER function net.http_get(url text, params jsonb, headers jsonb, timeout_milliseconds integer) SECURITY DEFINER;
153153
ALTER function net.http_post(url text, body jsonb, params jsonb, headers jsonb, timeout_milliseconds integer) SECURITY DEFINER;
154-
ALTER function net.http_collect_response(request_id bigint, async boolean) SECURITY DEFINER;
155154
ALTER function net.http_get(url text, params jsonb, headers jsonb, timeout_milliseconds integer) SET search_path = net;
156155
ALTER function net.http_post(url text, body jsonb, params jsonb, headers jsonb, timeout_milliseconds integer) SET search_path = net;
157-
ALTER function net.http_collect_response(request_id bigint, async boolean) SET search_path = net;
158156
REVOKE ALL ON FUNCTION net.http_get(url text, params jsonb, headers jsonb, timeout_milliseconds integer) FROM PUBLIC;
159157
REVOKE ALL ON FUNCTION net.http_post(url text, body jsonb, params jsonb, headers jsonb, timeout_milliseconds integer) FROM PUBLIC;
160-
REVOKE ALL ON FUNCTION net.http_collect_response(request_id bigint, async boolean) FROM PUBLIC;
161-
GRANT EXECUTE ON FUNCTION net.http_get(url text, params jsonb, headers jsonb, timeout_milliseconds integer) TO supabase_functions_admin, postgres;
162-
GRANT EXECUTE ON FUNCTION net.http_post(url text, body jsonb, params jsonb, headers jsonb, timeout_milliseconds integer) TO supabase_functions_admin, postgres;
163-
GRANT EXECUTE ON FUNCTION net.http_collect_response(request_id bigint, async boolean) TO supabase_functions_admin, postgres;
158+
GRANT EXECUTE ON FUNCTION net.http_get(url text, params jsonb, headers jsonb, timeout_milliseconds integer) TO supabase_functions_admin, postgres, anon, authenticated, service_role;
159+
GRANT EXECUTE ON FUNCTION net.http_post(url text, body jsonb, params jsonb, headers jsonb, timeout_milliseconds integer) TO supabase_functions_admin, postgres, anon, authenticated, service_role;
164160
END IF;
165161
END
166162
$$;
@@ -178,19 +174,15 @@ BEGIN;
178174
WHERE ext.extname = 'pg_net'
179175
)
180176
THEN
181-
GRANT USAGE ON SCHEMA net TO supabase_functions_admin, postgres;
177+
GRANT USAGE ON SCHEMA net TO supabase_functions_admin, postgres, anon, authenticated, service_role;
182178
ALTER function net.http_get(url text, params jsonb, headers jsonb, timeout_milliseconds integer) SECURITY DEFINER;
183179
ALTER function net.http_post(url text, body jsonb, params jsonb, headers jsonb, timeout_milliseconds integer) SECURITY DEFINER;
184-
ALTER function net.http_collect_response(request_id bigint, async boolean) SECURITY DEFINER;
185180
ALTER function net.http_get(url text, params jsonb, headers jsonb, timeout_milliseconds integer) SET search_path = net;
186181
ALTER function net.http_post(url text, body jsonb, params jsonb, headers jsonb, timeout_milliseconds integer) SET search_path = net;
187-
ALTER function net.http_collect_response(request_id bigint, async boolean) SET search_path = net;
188182
REVOKE ALL ON FUNCTION net.http_get(url text, params jsonb, headers jsonb, timeout_milliseconds integer) FROM PUBLIC;
189183
REVOKE ALL ON FUNCTION net.http_post(url text, body jsonb, params jsonb, headers jsonb, timeout_milliseconds integer) FROM PUBLIC;
190-
REVOKE ALL ON FUNCTION net.http_collect_response(request_id bigint, async boolean) FROM PUBLIC;
191-
GRANT EXECUTE ON FUNCTION net.http_get(url text, params jsonb, headers jsonb, timeout_milliseconds integer) TO supabase_functions_admin, postgres;
192-
GRANT EXECUTE ON FUNCTION net.http_post(url text, body jsonb, params jsonb, headers jsonb, timeout_milliseconds integer) TO supabase_functions_admin, postgres;
193-
GRANT EXECUTE ON FUNCTION net.http_collect_response(request_id bigint, async boolean) TO supabase_functions_admin, postgres;
184+
GRANT EXECUTE ON FUNCTION net.http_get(url text, params jsonb, headers jsonb, timeout_milliseconds integer) TO supabase_functions_admin, postgres, anon, authenticated, service_role;
185+
GRANT EXECUTE ON FUNCTION net.http_post(url text, body jsonb, params jsonb, headers jsonb, timeout_milliseconds integer) TO supabase_functions_admin, postgres, anon, authenticated, service_role;
194186
END IF;
195187
END;
196188
$$;
@@ -212,5 +204,5 @@ BEGIN;
212204
ALTER function supabase_functions.http_request() SECURITY DEFINER;
213205
ALTER function supabase_functions.http_request() SET search_path = supabase_functions;
214206
REVOKE ALL ON FUNCTION supabase_functions.http_request() FROM PUBLIC;
215-
GRANT EXECUTE ON FUNCTION supabase_functions.http_request() TO postgres;
216-
COMMIT;
207+
GRANT EXECUTE ON FUNCTION supabase_functions.http_request() TO postgres, anon, authenticated, service_role;
208+
COMMIT;

0 commit comments

Comments
 (0)