Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Migration squash does not handle access privileges correctly #2352

Open
asciiwhite opened this issue May 31, 2024 · 0 comments
Open

Migration squash does not handle access privileges correctly #2352

asciiwhite opened this issue May 31, 2024 · 0 comments
Labels
bug Something isn't working migration

Comments

@asciiwhite
Copy link

asciiwhite commented May 31, 2024
edited
Loading

Describe the bug

A migration which removes access privileges of an function is not handled correcty by a migration squash. Revoking privileges from public, anon and authenticated usually preserves the privileges to postgres and service_role. But after a migration squash the resulting migration only contains a revoke of public and a grant to service_role which allows anon and authenticated access privileges.

To Reproduce

  1. Create a simple migration like
CREATE OR REPLACE FUNCTION "public"."test"()
    RETURNS void
    LANGUAGE "plpgsql"
    SECURITY DEFINER
    AS $$
BEGIN
END;
$$;

REVOKE ALL ON FUNCTION "public"."test"() FROM PUBLIC, anon, authenticated;
  1. Validating the functions access privileges in SQL Editor shows expected result
SELECT grantee, privilege_type
FROM information_schema.role_routine_grants
WHERE routine_schema = 'public' AND routine_name = 'test';

| grantee      | privilege_type |
| ------------ | -------------- |
| postgres     | EXECUTE        |
| service_role | EXECUTE        |
  1. Squash the migration into new migration, this now includes the correct function but wrong access privileges
CREATE OR REPLACE FUNCTION "public"."test"() RETURNS "void"
    LANGUAGE "plpgsql" SECURITY DEFINER
    AS $$
BEGIN
END;
$$;

REVOKE ALL ON FUNCTION "public"."test"() FROM PUBLIC;
GRANT ALL ON FUNCTION "public"."test"() TO "service_role";
  1. Database reset with only the squashed migration, using SQL Editor to validating privileges
SELECT grantee, privilege_type
FROM information_schema.role_routine_grants
WHERE routine_schema = 'public' AND routine_name = 'test';

| grantee       | privilege_type |
| ------------- | -------------- |
| postgres      | EXECUTE        |
| anon          | EXECUTE        |
| authenticated | EXECUTE        |
| service_role  | EXECUTE        |

Expected behavior
The access privileges should be the same with the squashed migration.

System information

  • Version of CLI: v1.72.2
  • Version of Postgres: 15.1.0.137
@sweatybridge sweatybridge added bug Something isn't working migration labels Jun 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working migration
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sweatybridge @asciiwhite