From 61586c3bdae2637bf39fb72a480b8c079f044713 Mon Sep 17 00:00:00 2001
From: Sumanth Chinthagunta <xmlking@gmail.com>
Date: Fri, 21 Jun 2024 17:56:03 -0700
Subject: [PATCH] fix(hasura): add access permissions for storage and
 security_keys tables

---
 apps/console/schema.graphql                   | 11 +++++
 compose.override.yml                          |  2 +-
 compose.yml                                   | 12 +++---
 .../tables/auth_user_security_keys.yaml       | 11 ++---
 .../default/tables/storage_files.yaml         | 42 +++++++++++++++++++
 5 files changed, 66 insertions(+), 12 deletions(-)

diff --git a/apps/console/schema.graphql b/apps/console/schema.graphql
index 736f15de..c265def8 100644
--- a/apps/console/schema.graphql
+++ b/apps/console/schema.graphql
@@ -276,6 +276,7 @@ type authUserSecurityKeys {
 
   """An object relationship"""
   user: users!
+  userId: uuid!
 }
 
 """
@@ -325,12 +326,14 @@ input authUserSecurityKeys_bool_exp {
   id: uuid_comparison_exp
   nickname: String_comparison_exp
   user: users_bool_exp
+  userId: uuid_comparison_exp
 }
 
 """aggregate max on columns"""
 type authUserSecurityKeys_max_fields {
   id: uuid
   nickname: String
+  userId: uuid
 }
 
 """
@@ -339,12 +342,14 @@ order by max() on columns of table "auth.user_security_keys"
 input authUserSecurityKeys_max_order_by {
   id: order_by
   nickname: order_by
+  userId: order_by
 }
 
 """aggregate min on columns"""
 type authUserSecurityKeys_min_fields {
   id: uuid
   nickname: String
+  userId: uuid
 }
 
 """
@@ -353,6 +358,7 @@ order by min() on columns of table "auth.user_security_keys"
 input authUserSecurityKeys_min_order_by {
   id: order_by
   nickname: order_by
+  userId: order_by
 }
 
 """
@@ -371,6 +377,7 @@ input authUserSecurityKeys_order_by {
   id: order_by
   nickname: order_by
   user: users_order_by
+  userId: order_by
 }
 
 """
@@ -382,6 +389,9 @@ enum authUserSecurityKeys_select_column {
 
   """column name"""
   nickname
+
+  """column name"""
+  userId
 }
 
 """
@@ -399,6 +409,7 @@ input authUserSecurityKeys_stream_cursor_input {
 input authUserSecurityKeys_stream_cursor_value_input {
   id: uuid
   nickname: String
+  userId: uuid
 }
 
 scalar citext
diff --git a/compose.override.yml b/compose.override.yml
index adda12c0..de476d0c 100644
--- a/compose.override.yml
+++ b/compose.override.yml
@@ -5,7 +5,7 @@ services:
   console:
     ## User `cli-migrations-v3` only in local dev env.
     ## It will automatically apply Migrations and Metadata to a Hasura GraphQL Engine
-    image: hasura/graphql-engine:v2.39.2-ce.cli-migrations-v3
+    image: hasura/graphql-engine:v2.40.1-ce.cli-migrations-v3
     hostname: console
     container_name: console
     restart: unless-stopped
diff --git a/compose.yml b/compose.yml
index ca990ef5..db9d62e2 100644
--- a/compose.yml
+++ b/compose.yml
@@ -20,7 +20,7 @@ services:
   # traefik proxy
   ###########################################################################
   traefik:
-    image: traefik:v3.0.1
+    image: traefik:v3.0.3
     hostname: traefik
     container_name: traefik
     restart: unless-stopped
@@ -53,7 +53,7 @@ services:
   postgres:
     image: postgres:16
     # image: pgvector/pgvector:pg16
-    # image: timescale/timescaledb-ha:pg16
+    # image: timescale/timescaledb-ha:pg16 # no support for Mac ARM yet.
     hostname: postgres
     container_name: postgres
     restart: unless-stopped
@@ -85,7 +85,7 @@ services:
   # hasura service
   ###########################################################################
   graphql:
-    image: hasura/graphql-engine:v2.39.2-ce
+    image: hasura/graphql-engine:v2.40.1-ce
     hostname: graphql
     container_name: graphql
     restart: unless-stopped
@@ -140,7 +140,7 @@ services:
   # e.g. ./infra/base/mailpit/certs/ca.pem:/etc/ssl/certs/ca-certificates.crt
   ###########################################################################
   mailpit:
-    image: axllent/mailpit:v1.18.4
+    image: axllent/mailpit:v1.18.6
     hostname: mailpit
     container_name: mailpit
     restart: unless-stopped
@@ -290,7 +290,7 @@ services:
   # minio
   ###########################################################################
   minio:
-    image: bitnami/minio:2024.5.10
+    image: bitnami/minio:2024.6.13
     hostname: minio
     container_name: minio
     restart: unless-stopped
@@ -417,7 +417,7 @@ services:
   # configserver
   ###########################################################################
   configserver:
-    image: nhost/cli:v1.18.2
+    image: nhost/cli:v1.18.3
     hostname: configserver
     container_name: configserver
     restart: unless-stopped
diff --git a/nhost/metadata/databases/default/tables/auth_user_security_keys.yaml b/nhost/metadata/databases/default/tables/auth_user_security_keys.yaml
index 76254964..62c6dcba 100644
--- a/nhost/metadata/databases/default/tables/auth_user_security_keys.yaml
+++ b/nhost/metadata/databases/default/tables/auth_user_security_keys.yaml
@@ -37,6 +37,7 @@ select_permissions:
       columns:
         - id
         - nickname
+        - user_id
       filter:
         user_id:
           _eq: x-hasura-user-id
@@ -47,6 +48,7 @@ select_permissions:
       columns:
         - id
         - nickname
+        - user_id
       filter:
         user_id:
           _eq: x-hasura-user-id
@@ -57,27 +59,26 @@ select_permissions:
       columns:
         - id
         - nickname
+        - user_id
       filter:
         user_id:
           _eq: x-hasura-user-id
       allow_aggregations: true
-    comment: ""
 delete_permissions:
   - role: manager
     permission:
       filter:
         user_id:
-          _eq: x-hasura-user-id
+          _eq: x-hasura-auth-elevated
     comment: ""
   - role: supervisor
     permission:
       filter:
         user_id:
-          _eq: x-hasura-user-id
+          _eq: x-hasura-auth-elevated
     comment: ""
   - role: user
     permission:
       filter:
         user_id:
-          _eq: x-hasura-user-id
-    comment: ""
+          _eq: x-hasura-auth-elevated
diff --git a/nhost/metadata/databases/default/tables/storage_files.yaml b/nhost/metadata/databases/default/tables/storage_files.yaml
index 5e43b536..0d48c397 100644
--- a/nhost/metadata/databases/default/tables/storage_files.yaml
+++ b/nhost/metadata/databases/default/tables/storage_files.yaml
@@ -52,3 +52,45 @@ object_relationships:
   - name: bucket
     using:
       foreign_key_constraint_on: bucket_id
+insert_permissions:
+  - role: user
+    permission:
+      check: {}
+      columns:
+        - bucket_id
+        - created_at
+        - etag
+        - id
+        - is_uploaded
+        - metadata
+        - mime_type
+        - name
+        - size
+        - updated_at
+        - uploaded_by_user_id
+      set:
+        uploaded_by_user_id: x-hasura-user-id
+select_permissions:
+  - role: user
+    permission:
+      columns:
+        - bucket_id
+        - created_at
+        - etag
+        - id
+        - is_uploaded
+        - metadata
+        - mime_type
+        - name
+        - size
+        - updated_at
+        - uploaded_by_user_id
+      filter:
+        uploaded_by_user_id:
+          _eq: x-hasura-user-id
+delete_permissions:
+  - role: user
+    permission:
+      filter:
+        uploaded_by_user_id:
+          _eq: x-hasura-user-id