docs(0006): clarify multiple permissive policies example and fix logic bug#155
Open
SAY-5 wants to merge 1 commit intosupabase:mainfrom
Open
docs(0006): clarify multiple permissive policies example and fix logic bug#155SAY-5 wants to merge 1 commit intosupabase:mainfrom
SAY-5 wants to merge 1 commit intosupabase:mainfrom
Conversation
…c bug Per supabase/supabase#44600, the 'How to Resolve' section of the `0006_multiple_permissive_policies` lint had several issues: 1. Policy B was described as 'at or above a certain grade level' even though the SQL uses `grade_level <= current_user_grade_level()`. Match the prose to the code: 'at or below the current user's grade level.' 2. The intention was described as 'below the querying user's grade level' but the SQL uses `<=`. Update to 'at or below'. 3. Typo: 'departemnt' → 'department'. 4. Add 'regardless of grade level' / 'regardless of department' to make the failure mode explicit, and clarify that rows are returned when *at least one* policy passes (OR semantics). 5. The 'consolidated' policy still had the original bug — it used `OR` and `>=`, which doesn't restrict access at all. Replace with `AND` and `<=` so the policy actually implements the stated intention.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Per supabase/supabase#44600, the 'How to Resolve' section of the
0006_multiple_permissive_policieslint has prose that doesn't match the SQL, a typo, and a 'consolidated' policy that doesn't actually fix the bug it's supposed to fix.Changes
Policy B description was 'at or above a certain grade level', but the SQL uses
grade_level <= current_user_grade_level(). Match the prose to the code: 'at or below the current user's grade level.'Stated intention was 'below the querying user's grade level' even though the example uses
<=. Updated to 'at or below'.Typo: 'departemnt' → 'department'.
Added clarity to the failure-mode paragraph — 'regardless of grade level' / 'regardless of department' so readers can see why the original setup is wrong, and an explicit note that the rows that come through are the ones satisfying at least one policy (OR semantics), not both.
The 'consolidated' policy still contained the original bug — it used
ORand>=, which is the same broken semantics in different syntax. Replaced withAND grade_level <= current_user_grade_level()so the policy actually implements the stated intention.Closes supabase/supabase#44600