fix: restrict org plan status RPC access

[riderx]

Summary (AI generated)

• Restrict public.is_paying_and_good_plan_org_action(orgid, actions[]) with the same caller-role and org-rights gate already used by the sibling org status RPCs
• Revoke anonymous execute access and keep authenticated plus service_role execution
• Extend the org status pgTAP coverage to assert admin, non-member, anonymous, and service-role behavior for the fixed RPC
• Update older plan-logic SQL tests to run under service-role auth so they validate plan behavior instead of the removed public RPC access pattern

Motivation (AI generated)

GitHub security advisory GHSA-j5h5-v35x-mgjf reports that is_paying_and_good_plan_org_action remained as an unauthenticated SECURITY DEFINER org-state oracle after the earlier sibling RPC hardening. This closes that missed path with the same authorization pattern already used elsewhere in the schema.

Business Impact (AI generated)

This removes an anonymous cross-tenant billing and quota state disclosure path on Capgo's production API surface. It reduces security risk for customer organizations and avoids exposing plan, trial, credits, or over-quota status through a public RPC.

Test Plan (AI generated)

• Lint the touched SQL files with sqlfluff
• Verify the function body and grants directly in the local Postgres container
• Verify anonymous REST access to the RPC now returns 401 / 42501
• Wait for GitHub CI to pass on the PR

Generated with AI

[coderabbitai]

📝 Walkthrough

Walkthrough

Introduces a new SECURITY DEFINER RPC function is_paying_and_good_plan_org_action that checks whether an organization has active credits or a valid Stripe subscription supporting requested action types, with access controlled via org membership checks and tests validating authorization across different user contexts.

Changes

Cohort / File(s)	Summary
New RPC Function supabase/migrations/20260427105817_restrict_is_paying_and_good_plan_org_action_access.sql	Defines a SECURITY DEFINER RPC that gates access via check_min_rights, checks usage credit balances, and evaluates Stripe trial/subscription eligibility against provided action types. Execution restricted to authenticated and service_role.
Test Authentication Setup supabase/tests/11_test_plan.sql, supabase/tests/25_test_secret_functions.sql	Adds service-role authentication initialization calls before test execution without modifying existing test logic or assertions.
New RPC Assertions supabase/tests/46_test_org_status_rpcs.sql	Expands test suite with four assertions for is_paying_and_good_plan_org_action covering admin access (returns true), non-member access (returns false), anonymous access (permission error), and service-role access (returns true).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• Fix 2FA enforcement in RBAC checks #1512: Introduces public.check_min_rights access control function that is directly leveraged by the new RPC in this PR.
• Restrict org status RPCs to authenticated members #1751: Adds similar SECURITY DEFINER org-status RPCs with identical authorization patterns using check_min_rights and Stripe info lookups.
• fix: harden remaining helper RPC authz #1810: Hardening of billing/plan helper RPCs with equivalent caller-aware authorization checks and Stripe subscription evaluation logic.

Suggested labels

codex

Poem

🐰 A guardian function hops into place,
Checking credits and Stripe's good grace—
Locked tight with security seals,
Testing each user tier reveals,
Now orgs know their billing is real!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: restricting access to an org plan status RPC to fix a security vulnerability.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	PR description is well-structured with Summary, Motivation, Business Impact, and Test Plan sections covering the security fix comprehensively.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/fix-ghsa-j5h5-v35x-mgjf

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codspeed-hq]

Merging this PR will not alter performance

✅ 28 untouched benchmarks

---

_{Comparing codex/fix-ghsa-j5h5-v35x-mgjf (8a98210) with main (847a8b9)}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud