From d459f9d8a430a5cc6445e5162d81a7898a0ce136 Mon Sep 17 00:00:00 2001
From: Bobbie Soedirgo <bobbie@soedirgo.dev>
Date: Wed, 12 Jun 2024 14:38:53 +0800
Subject: [PATCH] feat: revoke supabase_storage_admin from postgres

Prevents Storage schema & migrations from being modified
---
 ...07084701_revoke_supabase_storage_admin_from_postgres.sql | 6 ++++++
 migrations/tests/database/privs.sql                         | 4 +++-
 migrations/tests/test.sql                                   | 2 +-
 3 files changed, 10 insertions(+), 2 deletions(-)
 create mode 100644 migrations/db/migrations/20240607084701_revoke_supabase_storage_admin_from_postgres.sql

diff --git a/migrations/db/migrations/20240607084701_revoke_supabase_storage_admin_from_postgres.sql b/migrations/db/migrations/20240607084701_revoke_supabase_storage_admin_from_postgres.sql
new file mode 100644
index 000000000..4c854bdde
--- /dev/null
+++ b/migrations/db/migrations/20240607084701_revoke_supabase_storage_admin_from_postgres.sql
@@ -0,0 +1,6 @@
+-- migrate:up
+revoke supabase_storage_admin from postgres;
+revoke create on schema storage from postgres;
+revoke all on storage.migrations from anon, authenticated, service_role, postgres;
+
+-- migrate:down
diff --git a/migrations/tests/database/privs.sql b/migrations/tests/database/privs.sql
index 217da662a..d5d4f590a 100644
--- a/migrations/tests/database/privs.sql
+++ b/migrations/tests/database/privs.sql
@@ -1,4 +1,3 @@
-
 SELECT database_privs_are(
     'postgres', 'postgres', ARRAY['CONNECT', 'TEMPORARY', 'CREATE']
 );
@@ -28,3 +27,6 @@ SELECT schema_privs_are('extensions', 'postgres', array['CREATE', 'USAGE']);
 SELECT schema_privs_are('extensions', 'anon', array['USAGE']);
 SELECT schema_privs_are('extensions', 'authenticated', array['USAGE']);
 SELECT schema_privs_are('extensions', 'service_role', array['USAGE']);
+
+-- Role memberships
+SELECT isnt_member_of('supabase_storage_admin', 'postgres');
diff --git a/migrations/tests/test.sql b/migrations/tests/test.sql
index 6bd7f23a2..7afa40645 100644
--- a/migrations/tests/test.sql
+++ b/migrations/tests/test.sql
@@ -5,7 +5,7 @@ BEGIN;
 
 CREATE EXTENSION IF NOT EXISTS pgtap;
 
-SELECT plan(34);
+SELECT no_plan();
 
 \ir fixtures.sql
 \ir database/test.sql