Several lints check if certain insecure object types are exposed publicly over APIs.
Historically, we have only used permissions of the anon and authenticated roles to determine if an object should be linted. We should also consider if the object is on the API's search path pgrst.db_schemas but that value was not available in the database.
Now that https://github.com/supabase/supabase/pull/25784 has merged, we can reference pgrst.db_schemas. This PR updates the relevant API lints to filter out entities that aren't on that API search path
This change
reduces the false positive rate
allows Supabase users who do not use APIs to clear these lints by emptying their API search path setting
What kind of change does this PR introduce?
Several lints check if certain insecure object types are exposed publicly over APIs.
Historically, we have only used permissions of the
anon
andauthenticated
roles to determine if an object should be linted. We should also consider if the object is on the API's search pathpgrst.db_schemas
but that value was not available in the database.Now that https://github.com/supabase/supabase/pull/25784 has merged, we can reference
pgrst.db_schemas
. This PR updates the relevant API lints to filter out entities that aren't on that API search pathThis change