feat: revoke supabase_storage_admin from postgres

soedirgo · soedirgo · commit d459f9d8a430 · 2024-06-12T17:39:44.000+08:00
Prevents Storage schema &amp; migrations from being modified
diff --git a/migrations/db/migrations/20240607084701_revoke_supabase_storage_admin_from_postgres.sql b/migrations/db/migrations/20240607084701_revoke_supabase_storage_admin_from_postgres.sql
@@ -0,0 +1,6 @@
+-- migrate:up
+revoke supabase_storage_admin from postgres;
+revoke create on schema storage from postgres;
+revoke all on storage.migrations from anon, authenticated, service_role, postgres;
+
+-- migrate:down
diff --git a/migrations/tests/database/privs.sql b/migrations/tests/database/privs.sql
@@ -1,4 +1,3 @@
-
 SELECT database_privs_are(
     'postgres', 'postgres', ARRAY['CONNECT', 'TEMPORARY', 'CREATE']
 );
@@ -28,3 +27,6 @@ SELECT schema_privs_are('extensions', 'postgres', array['CREATE', 'USAGE']);
 SELECT schema_privs_are('extensions', 'anon', array['USAGE']);
 SELECT schema_privs_are('extensions', 'authenticated', array['USAGE']);
 SELECT schema_privs_are('extensions', 'service_role', array['USAGE']);
+
+-- Role memberships
+SELECT isnt_member_of('supabase_storage_admin', 'postgres');
diff --git a/migrations/tests/test.sql b/migrations/tests/test.sql
@@ -5,7 +5,7 @@ BEGIN;
 
 CREATE EXTENSION IF NOT EXISTS pgtap;
 
-SELECT plan(34);
+SELECT no_plan();
 
 \ir fixtures.sql
 \ir database/test.sql
