feat: revoke supabase_storage_admin from postgres

soedirgo · soedirgo · commit 3d1a215b8347 · 2025-04-04T18:00:20.000+08:00
Prevents Storage schema &amp; migrations from being modified
diff --git a/migrations/db/migrations/20240607084701_revoke_supabase_storage_admin_from_postgres.sql b/migrations/db/migrations/20240607084701_revoke_supabase_storage_admin_from_postgres.sql
@@ -0,0 +1,6 @@
+-- migrate:up
+revoke supabase_storage_admin from postgres;
+revoke create on schema storage from postgres;
+revoke all on storage.migrations from anon, authenticated, service_role, postgres;
+
+-- migrate:down
diff --git a/migrations/tests/database/privs.sql b/migrations/tests/database/privs.sql
@@ -27,3 +27,4 @@ SELECT schema_privs_are('extensions', 'service_role', array['USAGE']);
 -- Role memberships
 SELECT is_member_of('pg_read_all_data', 'postgres');
 SELECT is_member_of('pg_signal_backend', 'postgres');
+SELECT isnt_member_of('supabase_storage_admin', 'postgres');
