chore: grant DML on public tables to API roles in test schema migration#65
Merged
Conversation
Tables created by the `postgres` role in the `public` schema no longer inherit SELECT/INSERT/UPDATE/DELETE for anon/authenticated/service_role under current Supabase CLI default privileges (Supabase changelog 45329, effective 2026-05-30), so 20 of 30 tests failed with "permission denied for table todos" (42501). Grant the privileges explicitly in the migration, plus usage on sequences (identity columns) and execute on functions. Default privileges are altered too so tables added by future migrations stay covered. Same fix as supabase-community/supabase-csharp#268 and supabase-community/postgrest-csharp#121. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
spydon
approved these changes
Jul 8, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Against a current
supabase startstack, 20 of 30 tests fail — the direct failures arepermission denied for table todos(42501), and the rest are downstream (subscriptions waiting on inserts that never happened).Root cause: since Supabase's May 30, 2026 breaking change (changelog 45329), tables created by the
postgresrole in thepublicschema no longer inherit SELECT/INSERT/UPDATE/DELETE foranon/authenticated/service_role— API exposure is now opt-in. The init migration creates its tables without any explicit grants, so the API roles end up with no DML at all (has_table_privilege('anon','public.todos','insert')→false). CI hasn't surfaced this because it uses unpinnedsupabase-cli@latestand hasn't run since before the change.Fix
Grant the privileges explicitly in the init migration:
select, insert, update, deleteon allpublictables to the API roles,usage, selecton sequences (identity columns on insert),executeon functions,alter default privilegesso tables added by future migrations stay covered.Same fix as supabase-community/supabase-csharp#268 and supabase-community/postgrest-csharp#121 — not a monorepo, so it must be applied per repo.
Verification
TZ=UTC dotnet test→ 20 failed / 10 passed,anoninsert onpublic.todos= false.supabase db reset(grants sourced only from the migration):TZ=UTC dotnet test→ 30/30 pass,anoninsert = true.