mirror of
https://github.com/supabase/supabase.git
synced 2026-06-13 01:39:53 +08:00
4c70efb562
## Context For a table that has RLS enabled, but a policy with just `true` for the role `public` The RLS tester was incorrectly reporting that `anon` doesn't have access Was happening as we weren't considering policies that apply to the `public` role (which applies to _all_ roles) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * RLS tester now treats explicitly-public policies as applicable regardless of the impersonated role, improving policy coverage accuracy. * **Refactor** * Consolidated RLS test state computation to improve consistency of access badges and policy messaging. * **Tests** * Added comprehensive tests validating RLS scenarios, badge states, and policy/role messaging. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
21 lines
769 B
TypeScript
21 lines
769 B
TypeScript
import type { ParseQueryResults } from './RLSTester.types'
|
|
|
|
export function deriveRLSTestState(parseQueryResults: ParseQueryResults | undefined) {
|
|
const isServiceRole = parseQueryResults?.role === undefined
|
|
const tableWithRLSEnabledButNoPolicies = parseQueryResults?.tables.find(
|
|
(x) => x.isRLSEnabled && x.tablePolicies.length === 0
|
|
)
|
|
const tableWithRLSEnabledWithPolicyFalse = parseQueryResults?.tables.find(
|
|
(x) => x.isRLSEnabled && x.tablePolicies.some((y) => y.definition === 'false')
|
|
)
|
|
const noAccessToData =
|
|
!isServiceRole && (!!tableWithRLSEnabledButNoPolicies || !!tableWithRLSEnabledWithPolicyFalse)
|
|
|
|
return {
|
|
isServiceRole,
|
|
tableWithRLSEnabledButNoPolicies,
|
|
tableWithRLSEnabledWithPolicyFalse,
|
|
noAccessToData,
|
|
}
|
|
}
|