Skip to content

chore: grant DML on public tables to API roles in test schema migration#121

Merged
Tr00d merged 1 commit into
masterfrom
chore/grant-dml-on-public-tables
Jul 8, 2026
Merged

chore: grant DML on public tables to API roles in test schema migration#121
Tr00d merged 1 commit into
masterfrom
chore/grant-dml-on-public-tables

Conversation

@Tr00d

@Tr00d Tr00d commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Problem

The test suite fails against a current supabase start stack with permission denied for table <name> (42501) on nearly every test (~67 failures, and the test host crashes on an unobserved exception). CI has not caught this because the last build-and-test run on master was 2025-07-07; the workflow uses unpinned supabase-cli@latest, so its next run would fail the same way.

Root cause: since Supabase's May 30, 2026 breaking change (changelog 45329), tables created by the postgres role in the public schema no longer inherit SELECT/INSERT/UPDATE/DELETE for anon/authenticated/service_role — API exposure is now opt-in. The default ACL for these roles is reduced to TRUNCATE/REFERENCES/TRIGGER (anon=Dxt in pg_default_acl). The test schema migration only sets explicit privileges for the personal schema and relied on the old implicit grants for public.

Fix

Grant the privileges explicitly in the schema migration, mirroring what it already does for personal:

  • select, insert, update, delete on all public tables to the API roles,
  • usage, select on sequences (identity columns on insert),
  • execute on functions (stored-procedure tests),
  • matching alter default privileges so tables added by future migrations stay covered.

Same fix as supabase-community/supabase-csharp#268 (8e3e903); it is not a monorepo, so it must be applied per repo.

Verification

Fresh supabase db reset (grants sourced only from the migration) + TZ=UTC dotnet test: 92/92 pass. Without this change, master fails 67 tests on the same stack.

Note: run under TZ=UTC because Coercion: Can coerce primitive types is timezone-dependent — it fails on any non-UTC machine and is masked on CI (UTC). That is #120 territory and handled separately.

Tables created by the `postgres` role in the `public` schema no longer
inherit SELECT/INSERT/UPDATE/DELETE for anon/authenticated/service_role
under current Supabase CLI default privileges (Supabase changelog 45329,
effective 2026-05-30), so the whole test suite failed with "permission
denied" (42501) errors. Grant the privileges explicitly in the migration,
mirroring what it already does for the `personal` schema, plus usage on
sequences (identity columns) and execute on functions (stored procedure
tests). Default privileges are altered too so tables added by future
migrations stay covered.

Same fix as supabase-community/supabase-csharp#268.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@Tr00d Tr00d merged commit e6527e3 into master Jul 8, 2026
1 check passed
@Tr00d Tr00d deleted the chore/grant-dml-on-public-tables branch July 8, 2026 12:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants