fix: prevent non-superuser roles from dropping supabase_privileged_role

utkarash2991 · utkarash2991 · commit 9427a4e03b80 · 2026-05-26T11:25:11.000+01:00
Add supabase_privileged_role to supautils.reserved_roles so non-superusers with CREATEROLE cannot drop it on PG 15, where PG's native ADMIN OPTION check (introduced in PG 16) does not apply. PG 16+ requires ADMIN OPTION to drop a non-superuser role: https://github.com/postgres/postgres/blame/REL_16_STABLE/src/backend/commands/user.c#L1175 This check is absent in PG 15: https://github.com/postgres/postgres/blob/REL_15_STABLE/src/backend/commands/user.c#L986 Fixes: https://linear.app/supabase/issue/PSQL-1205
diff --git a/nix/tests/smoke/0006-reserved-roles.sql b/nix/tests/smoke/0006-reserved-roles.sql
@@ -0,0 +1,24 @@
+BEGIN;
+
+SELECT plan(2);
+
+CREATE ROLE test_reserved_attacker CREATEROLE;
+GRANT test_reserved_attacker TO postgres;
+SET ROLE test_reserved_attacker;
+
+SELECT throws_ok(
+  $$ DROP ROLE supabase_privileged_role $$,
+  '42501',
+  '"supabase_privileged_role" is a reserved role, only superusers can modify it',
+  'non-superuser with CREATEROLE cannot drop supabase_privileged_role'
+);
+
+RESET ROLE;
+
+SELECT ok(
+  EXISTS(SELECT 1 FROM pg_roles WHERE rolname = 'supabase_privileged_role'),
+  'supabase_privileged_role still exists after failed drop attempt'
+);
+
+SELECT * FROM finish();
+ROLLBACK;
