Skip to content

chore: grant DML on public tables to API roles in test schema migration#65

Merged
Tr00d merged 1 commit into
masterfrom
chore/grant-dml-on-public-tables
Jul 8, 2026
Merged

chore: grant DML on public tables to API roles in test schema migration#65
Tr00d merged 1 commit into
masterfrom
chore/grant-dml-on-public-tables

Conversation

@Tr00d

@Tr00d Tr00d commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Problem

Against a current supabase start stack, 20 of 30 tests fail — the direct failures are permission denied for table todos (42501), and the rest are downstream (subscriptions waiting on inserts that never happened).

Root cause: since Supabase's May 30, 2026 breaking change (changelog 45329), tables created by the postgres role in the public schema no longer inherit SELECT/INSERT/UPDATE/DELETE for anon/authenticated/service_role — API exposure is now opt-in. The init migration creates its tables without any explicit grants, so the API roles end up with no DML at all (has_table_privilege('anon','public.todos','insert')false). CI hasn't surfaced this because it uses unpinned supabase-cli@latest and hasn't run since before the change.

Fix

Grant the privileges explicitly in the init migration:

  • select, insert, update, delete on all public tables to the API roles,
  • usage, select on sequences (identity columns on insert),
  • execute on functions,
  • matching alter default privileges so tables added by future migrations stay covered.

Same fix as supabase-community/supabase-csharp#268 and supabase-community/postgrest-csharp#121 — not a monorepo, so it must be applied per repo.

Verification

  • Before: TZ=UTC dotnet test20 failed / 10 passed, anon insert on public.todos = false.
  • After supabase db reset (grants sourced only from the migration): TZ=UTC dotnet test30/30 pass, anon insert = true.

Tables created by the `postgres` role in the `public` schema no longer
inherit SELECT/INSERT/UPDATE/DELETE for anon/authenticated/service_role
under current Supabase CLI default privileges (Supabase changelog 45329,
effective 2026-05-30), so 20 of 30 tests failed with "permission denied
for table todos" (42501). Grant the privileges explicitly in the
migration, plus usage on sequences (identity columns) and execute on
functions. Default privileges are altered too so tables added by future
migrations stay covered.

Same fix as supabase-community/supabase-csharp#268 and
supabase-community/postgrest-csharp#121.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@Tr00d Tr00d marked this pull request as ready for review July 8, 2026 12:41
@Tr00d Tr00d merged commit 257789b into master Jul 8, 2026
1 check passed
@Tr00d Tr00d deleted the chore/grant-dml-on-public-tables branch July 8, 2026 12:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants