Lint for RLS disabled but policies exist

olirice commented 4 months ago

Proposed Lint

rls_policy_with_rls_disabled

Detects if RLS policies exist for a table but RLS has not been enabled for the table.

Level: WARN

Facing: EXTERNAL

SELECT n.nspname AS schema_name,
    c.relname AS table_name,
    EXISTS (SELECT 1 
            FROM pg_catalog.pg_policy p 
            WHERE p.polrelid = c.oid) AS has_policy,
    c.relrowsecurity AS rls_enabled
FROM pg_catalog.pg_class c
JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace
WHERE c.relkind = 'r' -- restrict to tables
   AND n.nspname NOT IN ('pg_catalog', 'information_schema') -- exclude system tables
   AND EXISTS (SELECT 1 
               FROM pg_catalog.pg_policy p 
               WHERE p.polrelid = c.oid)
   AND c.relrowsecurity = false; -- RLS is not enabled

soedirgo commented 4 months ago

Proposed lint is for the converse (policies exists but RLS is disabled)

olirice commented 4 months ago

thanks, added in https://github.com/supabase/splinter/issues/11

supabase / splinter

Lint for RLS disabled but policies exist #10

Proposed Lint