feat: add lint to detect RLS policies that allow access to anonymous users - Githubissues

supabase / splinter

Supabase Postgres Linter

https://supabase.github.io/splinter/

70 stars 6 forks source link

feat: add lint to detect RLS policies that allow access to anonymous users #28

Open kangmingtay opened 3 months ago

kangmingtay commented 3 months ago

What kind of change does this PR introduce?

adds a lint to check if there are any policies that allow access to anonymous users

What is the current behavior?

currently, if a user enables anonymous sign-ins for their project, they need to manually check existing RLS policies to see if any of them are compromised.

What is the new behavior?

this lint will highlight any policies that:
- are associated to the authenticated, public, or any other role members
- policies that don't contain the auth.jwt()->>'is_anonymous' expression in the policy definition

Additional context

Add any other context or screenshots.

kangmingtay commented 2 months ago

blocked on deciding how we can run lints conditionally on the platform - currently, there's no way to conditionally execute a lint from the splinter.sql file