chore: grant DML on public tables to API roles in test schema migration#121
Merged
Conversation
Tables created by the `postgres` role in the `public` schema no longer inherit SELECT/INSERT/UPDATE/DELETE for anon/authenticated/service_role under current Supabase CLI default privileges (Supabase changelog 45329, effective 2026-05-30), so the whole test suite failed with "permission denied" (42501) errors. Grant the privileges explicitly in the migration, mirroring what it already does for the `personal` schema, plus usage on sequences (identity columns) and execute on functions (stored procedure tests). Default privileges are altered too so tables added by future migrations stay covered. Same fix as supabase-community/supabase-csharp#268. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
spydon
approved these changes
Jul 8, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The test suite fails against a current
supabase startstack withpermission denied for table <name>(42501) on nearly every test (~67 failures, and the test host crashes on an unobserved exception). CI has not caught this because the lastbuild-and-testrun onmasterwas 2025-07-07; the workflow uses unpinnedsupabase-cli@latest, so its next run would fail the same way.Root cause: since Supabase's May 30, 2026 breaking change (changelog 45329), tables created by the
postgresrole in thepublicschema no longer inherit SELECT/INSERT/UPDATE/DELETE foranon/authenticated/service_role— API exposure is now opt-in. The default ACL for these roles is reduced to TRUNCATE/REFERENCES/TRIGGER (anon=Dxtinpg_default_acl). The test schema migration only sets explicit privileges for thepersonalschema and relied on the old implicit grants forpublic.Fix
Grant the privileges explicitly in the schema migration, mirroring what it already does for
personal:select, insert, update, deleteon allpublictables to the API roles,usage, selecton sequences (identity columns on insert),executeon functions (stored-procedure tests),alter default privilegesso tables added by future migrations stay covered.Same fix as supabase-community/supabase-csharp#268 (8e3e903); it is not a monorepo, so it must be applied per repo.
Verification
Fresh
supabase db reset(grants sourced only from the migration) +TZ=UTC dotnet test: 92/92 pass. Without this change, master fails 67 tests on the same stack.Note: run under
TZ=UTCbecauseCoercion: Can coerce primitive typesis timezone-dependent — it fails on any non-UTC machine and is masked on CI (UTC). That is #120 territory and handled separately.