From ab21a9e45836755d1a815ad89a2ec24b3e0f059e Mon Sep 17 00:00:00 2001
From: Aditya Thebe <contact@adityathebe.com>
Date: Tue, 20 Jan 2026 14:56:06 +0545
Subject: [PATCH] Fix RLS disable for view tables

---
 tests/view_test.go         |  7 +++++--
 view/db.go                 |  7 +++++--
 views/9999_rls_disable.sql | 33 +++++++++++++++++++++++++++++++++
 3 files changed, 43 insertions(+), 4 deletions(-)

diff --git a/tests/view_test.go b/tests/view_test.go
index ff960b06b..77893bdc4 100644
--- a/tests/view_test.go
+++ b/tests/view_test.go
@@ -6,6 +6,7 @@ import (
 	ginkgo "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 
+	"github.com/flanksource/duty/api"
 	"github.com/flanksource/duty/models"
 	"github.com/flanksource/duty/tests/fixtures/dummy"
 	"github.com/flanksource/duty/types"
@@ -168,7 +169,8 @@ var _ = ginkgo.Describe("View Tests", ginkgo.Serial, ginkgo.Ordered, func() {
         WHERE relname = ? AND relkind = 'r'
     `, testTableName).Scan(&rlsEnabled).Error
 			Expect(err).ToNot(HaveOccurred())
-			Expect(rlsEnabled).To(BeTrue(), "RLS should be enabled on view table")
+			applyRLS := api.DefaultConfig.EnableRLS && !api.DefaultConfig.DisableRLS
+			Expect(rlsEnabled).To(Equal(applyRLS), "RLS state should match config")
 		})
 
 		ginkgo.It("should create view_grants_policy on view table", func() {
@@ -180,7 +182,8 @@ var _ = ginkgo.Describe("View Tests", ginkgo.Serial, ginkgo.Ordered, func() {
 				)
 			`, testTableName).Scan(&policyExists).Error
 			Expect(err).ToNot(HaveOccurred())
-			Expect(policyExists).To(BeTrue(), "view_grants_policy should exist on view table")
+			applyRLS := api.DefaultConfig.EnableRLS && !api.DefaultConfig.DisableRLS
+			Expect(policyExists).To(Equal(applyRLS), "view_grants_policy should match RLS state")
 		})
 	})
 
diff --git a/view/db.go b/view/db.go
index 9569c4a6a..69377f0f7 100644
--- a/view/db.go
+++ b/view/db.go
@@ -127,8 +127,11 @@ func applyViewTableSchema(ctx context.Context, tableName string, columns ViewCol
 	// Apply RLS policy to enforce grants
 	// (Re)apply RLS and Policy on first table creation or on schema changes
 	if len(changes) > 0 {
-		if err := ensureViewRLSPolicy(ctx, tableName); err != nil {
-			return fmt.Errorf("failed to apply RLS policy: %w", err)
+		applyRLS := api.DefaultConfig.EnableRLS && !api.DefaultConfig.DisableRLS
+		if applyRLS {
+			if err := ensureViewRLSPolicy(ctx, tableName); err != nil {
+				return fmt.Errorf("failed to apply RLS policy: %w", err)
+			}
 		}
 	}
 
diff --git a/views/9999_rls_disable.sql b/views/9999_rls_disable.sql
index 16316d45b..5f3ffa2d4 100644
--- a/views/9999_rls_disable.sql
+++ b/views/9999_rls_disable.sql
@@ -48,6 +48,24 @@ BEGIN
     IF (SELECT relrowsecurity FROM pg_class WHERE relname = 'view_panels') THEN
         EXECUTE 'ALTER TABLE view_panels DISABLE ROW LEVEL SECURITY;';
     END IF;
+
+END $$;
+
+-- Disable RLS on dynamically generated view tables
+DO $$
+DECLARE
+    r record;
+BEGIN
+    FOR r IN
+        SELECT c.relname, c.relrowsecurity
+        FROM pg_class c
+        JOIN pg_namespace n ON c.relnamespace = n.oid
+        WHERE n.nspname = 'public' AND c.relkind = 'r' AND c.relname LIKE 'view\_%' ESCAPE '\'
+    LOOP
+        IF r.relrowsecurity THEN
+            EXECUTE format('ALTER TABLE %I DISABLE ROW LEVEL SECURITY;', r.relname);
+        END IF;
+    END LOOP;
 END $$;
 
 -- POLICIES
@@ -74,3 +92,18 @@ DROP POLICY IF EXISTS checks_auth ON checks;
 DROP POLICY IF EXISTS views_auth ON views;
 
 DROP POLICY IF EXISTS view_panels_auth ON view_panels;
+
+DO $$
+DECLARE
+    r record;
+BEGIN
+    -- Drop policies on dynamically generated view tables
+    FOR r IN
+        SELECT c.relname
+        FROM pg_class c
+        JOIN pg_namespace n ON c.relnamespace = n.oid
+        WHERE n.nspname = 'public' AND c.relkind = 'r' AND c.relname LIKE 'view\_%' ESCAPE '\'
+    LOOP
+        EXECUTE format('DROP POLICY IF EXISTS view_grants_policy ON %I;', r.relname);
+    END LOOP;
+END $$;