sqlauthz icon indicating copy to clipboard operation
sqlauthz copied to clipboard
verified publisher icon cfeenstra67

If table already has rls enabled "default_access" policy is not added

Open pnispel opened this issue 1 year ago • 3 comments

Because of this check: https://github.com/cfeenstra67/sqlauthz/blob/main/src/pg-backend.ts#L382 a table that already has RLS enabled wont get the permissive grant.

pnispel avatar Aug 10 '24 17:08 pnispel

Thanks for opening these issues, I'll take a closer and get back to you later today

cfeenstra67 avatar Aug 14 '24 23:08 cfeenstra67

Hey there @pnispel,

I have a fix for this that will add the policy if RLS is enabled and no existing permissive policies exist here: https://github.com/cfeenstra67/sqlauthz/pull/4

Before I merge that though I want to make sure that that actually does what you'd want it to do. Do you have a particular use-case in mind here? Is it a table that has RLS enabled w/ no policies, or is it a table that has permissive policies that apply to other users and you just want to manage permissions for specific users w/ sqlauthz?

cfeenstra67 avatar Aug 15 '24 05:08 cfeenstra67

Hey @cfeenstra67. Awesome library by the way. The way i've handled this on the fork is granting a permissive policy per user instead of to public.

pnispel avatar Aug 15 '24 14:08 pnispel

Super happy to hear that you're liking the tool! I took another look today and merged some new behavior that should work well in the most cases:

  • When enabling RLS on a table, create a new "empty" selective policy by default
  • If RLS is already enabled, add user and privilege-level selective policies as needed Going to close this issue now as resolved

cfeenstra67 avatar Sep 08 '24 20:09 cfeenstra67