feat: revoke supabase_storage_admin from postgres

Prevents Storage schema & migrations from being modified

migrations/db/migrations/20240607084701_revoke_supabase_storage_admin_from_postgres.sql

@@ -0,0 +1,6 @@
+-- migrate:up
+revoke supabase_storage_admin from postgres;
+revoke create on schema storage from postgres;
+revoke all on storage.migrations from anon, authenticated, service_role, postgres;
+
+-- migrate:down

migrations/tests/database/privs.sql

@@ -1,4 +1,3 @@
-
 SELECT database_privs_are(
     'postgres', 'postgres', ARRAY['CONNECT', 'TEMPORARY', 'CREATE']
 );
@@ -28,3 +27,6 @@ SELECT schema_privs_are('extensions', 'postgres', array['CREATE', 'USAGE']);
 SELECT schema_privs_are('extensions', 'anon', array['USAGE']);
 SELECT schema_privs_are('extensions', 'authenticated', array['USAGE']);
 SELECT schema_privs_are('extensions', 'service_role', array['USAGE']);
+
+-- Role memberships
+SELECT isnt_member_of('supabase_storage_admin', 'postgres');

migrations/tests/test.sql

@@ -5,7 +5,7 @@ BEGIN;
 
 CREATE EXTENSION IF NOT EXISTS pgtap;
 
-SELECT plan(34);
+SELECT no_plan();
 
 \ir fixtures.sql
 \ir database/test.sql