mirror of
https://github.com/supabase/supabase.git
synced 2026-07-05 23:04:35 +08:00
Users should explicitly grant privileges to `anon`(unauthenticated clients) if they want some db objects to be publicly accessed. This caused confusion on https://github.com/supabase/supabase/discussions/1493. So the fix is to revoke default privileges for `anon`.
27 lines
1.2 KiB
SQL
27 lines
1.2 KiB
SQL
|
|
|
|
-- Set up reatime
|
|
create publication supabase_realtime for all tables;
|
|
|
|
-- Extension namespacing
|
|
create schema extensions;
|
|
create extension if not exists "uuid-ossp" with schema extensions;
|
|
create extension if not exists pgcrypto with schema extensions;
|
|
create extension if not exists pgjwt with schema extensions;
|
|
|
|
-- Developer roles
|
|
create role anon nologin noinherit;
|
|
create role authenticated nologin noinherit; -- "logged in" user: web_user, app_user, etc
|
|
create role service_role nologin noinherit bypassrls; -- allow developers to create JWT's that bypass their policies
|
|
|
|
create user authenticator noinherit;
|
|
grant anon to authenticator;
|
|
grant authenticated to authenticator;
|
|
grant service_role to authenticator;
|
|
|
|
grant usage on schema public to postgres, anon, authenticated, service_role;
|
|
alter default privileges in schema public grant all on tables to postgres, authenticated, service_role;
|
|
alter default privileges in schema public grant all on functions to postgres, authenticated, service_role;
|
|
alter default privileges in schema public grant all on sequences to postgres, authenticated, service_role;
|
|
|