SpacetimeDB icon indicating copy to clipboard operation
SpacetimeDB copied to clipboard
verified publisher icon clockworklabs

Reject modules with invalid RLS queries earlier in publish

Open gefjon opened this issue 8 months ago • 1 comments

Per @bfops report:

  1. Try publishing a module with a broken client visibility filter, get an error:
Build finished successfully.
Uploading to local => http://127.0.0.1:3000
Publishing module...
Error: failed to get or launch module host: failed to create row-level security: `
    SELECT * FROM Person WHERE name = 'foo'
`: `Person` is not a valid table
  1. Fix the error and try to republish without --delete-data, see the same error message anyway

The only way to fix it is to republish with --delete-data.

It appears that, specifically for initial publishes, RLS filters are checked too late, and the module is created with invalid RLS filters. We should instead be rejecting the publish attempt.

Note that, when publishing without -c onto an existing database, the error is detected early, and the new module version is not installed. The issue is specifically when publishing a fresh module.

gefjon avatar Apr 09 '25 17:04 gefjon