Skip to content

security advisor warnings #44

Description

@jdgamble555
Image

Supabase is cracking down on security.

Signed-In Users Can Execute SECURITY DEFINER Function

With these functions:

rbac._validate_grantable_roles(p_roles text[])
rbac._validate_permissions(p_permissions text[])
rbac._validate_roles(p_roles text[])
rbac.accept_invite(p_invite_id uuid)
Detects SECURITY DEFINER functions that are callable by signed-in users. 
Revoke EXECUTE, switch the function to SECURITY INVOKER, 
or move it out of your exposed API schema if signed-in users should not call it.

I'm not sure if there is a way around this ?

If you revoke authenticated, then the parent may not be able to run it?

J

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions