Skip to content

fix(db): restrict festival-assets storage writes to admins#40

Merged
chiptus merged 1 commit into
mainfrom
claude/fix-festival-rls-policies-Qbw22
May 20, 2026
Merged

fix(db): restrict festival-assets storage writes to admins#40
chiptus merged 1 commit into
mainfrom
claude/fix-festival-rls-policies-Qbw22

Conversation

@chiptus
Copy link
Copy Markdown
Owner

@chiptus chiptus commented May 20, 2026

Summary

The festival-logos migration created INSERT/UPDATE/DELETE storage policies gated only on auth.role() = 'authenticated', which OR-combined with the later admin-only policies and let any authenticated user write festival assets. This migration drops those three permissive write policies.

Manual test steps

  1. Apply the migration to a Supabase instance with this branch checked out.
  2. Sign in as a non-admin authenticated user and try to upload/update/delete a file in the festival-assets bucket (festival-logos/ folder) — each operation should now be denied by RLS.
  3. Sign in as an admin user and repeat — upload/update/delete should still succeed.
  4. Without signing in (anonymous), confirm festival assets are still publicly readable.

https://claude.ai/code/session_01DXGpafRd5ytK6UTuKFNrQH

Generated by Claude Code

@vercel
Copy link
Copy Markdown

vercel Bot commented May 20, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
upline Ready Ready Preview, Comment May 20, 2026 7:06pm

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 20, 2026
edited
Loading

Deploy → stagingworkflow run
Last updated: 2026-05-20 19:10:14 UTC

  • DB migrations succeeded
  • ⏭️ Edge functions skipped (no changes)

@chiptus chiptus requested a review from Copilot May 20, 2026 19:04
@claude
Drop permissive festival-assets storage write policies
3f39b24 
The festival-logo migration created INSERT/UPDATE/DELETE policies gated
only on auth.role() = 'authenticated', which OR-combined with the later
admin-only policies and let any authenticated user write festival assets.

https://claude.ai/code/session_01DXGpafRd5ytK6UTuKFNrQH
@chiptus chiptus force-pushed the claude/fix-festival-rls-policies-Qbw22 branch from e24c9ec to 3f39b24 Compare May 20, 2026 19:05
Copilot AI reviewed May 20, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes Supabase Storage RLS for the festival-assets bucket by removing earlier permissive write policies that unintentionally allowed any authenticated user to write to festival logo assets, ensuring that only the later admin-only policies control write access.

Changes:

  • Drops permissive INSERT policy for authenticated users on festival-logos/ objects.
  • Drops permissive UPDATE and DELETE policies that allowed authenticated users to modify/delete festival-logos/ objects.

@chiptus chiptus merged commit 259fbff into main May 20, 2026
16 of 17 checks passed
@chiptus chiptus deleted the claude/fix-festival-rls-policies-Qbw22 branch May 20, 2026 19:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@chiptus @claude