@@ -57,10 +57,7 @@ DROP POLICY IF EXISTS config_items_auth ON config_items;
5757CREATE POLICY config_items_auth ON config_items
5858 FOR ALL TO postgrest_api, postgrest_anon
5959 USING (
60- CASE WHEN (SELECT is_rls_disabled()) THEN TRUE
61- ELSE
62- (config_items .__scope && rls_scope_access())
63- END
60+ (config_items .__scope && rls_scope_access())
6461 );
6562
6663-- Policy config_changes
@@ -69,14 +66,12 @@ DROP POLICY IF EXISTS config_changes_auth ON config_changes;
6966CREATE POLICY config_changes_auth ON config_changes
7067 FOR ALL TO postgrest_api, postgrest_anon
7168 USING (
72- CASE WHEN (SELECT is_rls_disabled()) THEN TRUE
73- ELSE EXISTS (
69+ EXISTS (
7470 -- just leverage the RLS on config_items
7571 SELECT 1
7672 FROM config_items
7773 WHERE config_items .id = config_changes .config_id
7874 )
79- END
8075 );
8176
8277-- Policy config_analysis
@@ -85,14 +80,12 @@ DROP POLICY IF EXISTS config_analysis_auth ON config_analysis;
8580CREATE POLICY config_analysis_auth ON config_analysis
8681 FOR ALL TO postgrest_api, postgrest_anon
8782 USING (
88- CASE WHEN (SELECT is_rls_disabled()) THEN TRUE
89- ELSE EXISTS (
83+ EXISTS (
9084 -- just leverage the RLS on config_items
9185 SELECT 1
9286 FROM config_items
9387 WHERE config_items .id = config_analysis .config_id
9488 )
95- END
9689 );
9790
9891-- Policy config_relationships
@@ -101,13 +94,9 @@ DROP POLICY IF EXISTS config_relationships_auth ON config_relationships;
10194CREATE POLICY config_relationships_auth ON config_relationships
10295 FOR ALL TO postgrest_api, postgrest_anon
10396 USING (
104- CASE WHEN (SELECT is_rls_disabled()) THEN TRUE
105- ELSE (
106- -- just leverage the RLS on config_items - user must have access to both items
107- EXISTS (SELECT 1 FROM config_items WHERE config_items .id = config_relationships .config_id )
108- AND EXISTS (SELECT 1 FROM config_items WHERE config_items .id = config_relationships .related_id )
109- )
110- END
97+ -- just leverage the RLS on config_items - user must have access to both items
98+ EXISTS (SELECT 1 FROM config_items WHERE config_items .id = config_relationships .config_id )
99+ AND EXISTS (SELECT 1 FROM config_items WHERE config_items .id = config_relationships .related_id )
111100 );
112101
113102-- Policy config_component_relationships
@@ -116,14 +105,12 @@ DROP POLICY IF EXISTS config_component_relationships_auth ON config_component_re
116105CREATE POLICY config_component_relationships_auth ON config_component_relationships
117106 FOR ALL TO postgrest_api, postgrest_anon
118107 USING (
119- CASE WHEN (SELECT is_rls_disabled()) THEN TRUE
120- ELSE EXISTS (
108+ EXISTS (
121109 -- just leverage the RLS on config_items
122110 SELECT 1
123111 FROM config_items
124112 WHERE config_items .id = config_component_relationships .config_id
125113 )
126- END
127114 );
128115
129116-- Policy components
@@ -132,10 +119,7 @@ DROP POLICY IF EXISTS components_auth ON components;
132119CREATE POLICY components_auth ON components
133120 FOR ALL TO postgrest_api, postgrest_anon
134121 USING (
135- CASE WHEN (SELECT is_rls_disabled()) THEN TRUE
136- ELSE
137- (components .__scope && rls_scope_access())
138- END
122+ (components .__scope && rls_scope_access())
139123 );
140124
141125-- Policy canaries
@@ -144,10 +128,7 @@ DROP POLICY IF EXISTS canaries_auth ON canaries;
144128CREATE POLICY canaries_auth ON canaries
145129 FOR ALL TO postgrest_api, postgrest_anon
146130 USING (
147- CASE WHEN (SELECT is_rls_disabled()) THEN TRUE
148- ELSE
149- (canaries .__scope && rls_scope_access())
150- END
131+ (canaries .__scope && rls_scope_access())
151132 );
152133
153134-- Policy playbooks
@@ -156,10 +137,7 @@ DROP POLICY IF EXISTS playbooks_auth ON playbooks;
156137CREATE POLICY playbooks_auth ON playbooks
157138 FOR ALL TO postgrest_api, postgrest_anon
158139 USING (
159- CASE WHEN (SELECT is_rls_disabled()) THEN TRUE
160- ELSE
161- (playbooks .__scope && rls_scope_access())
162- END
140+ (playbooks .__scope && rls_scope_access())
163141 );
164142
165143-- Policy playbook_runs
@@ -168,31 +146,27 @@ DROP POLICY IF EXISTS playbook_runs_auth ON playbook_runs;
168146CREATE POLICY playbook_runs_auth ON playbook_runs
169147 FOR ALL TO postgrest_api, postgrest_anon
170148 USING (
171- CASE WHEN (SELECT is_rls_disabled()) THEN TRUE
172- ELSE (
173- -- User must have access to the playbook
174- EXISTS (
175- SELECT 1
176- FROM playbooks
177- WHERE playbooks .id = playbook_runs .playbook_id
178- )
179- AND
180- -- AND if run has a config_id, user must have access to that config
181- (playbook_runs .config_id IS NULL OR EXISTS (
182- SELECT 1
183- FROM config_items
184- WHERE config_items .id = playbook_runs .config_id
185- ))
186- AND
187- -- AND if run has a check_id, user must have access to that check (via its canary)
188- (playbook_runs .check_id IS NULL OR EXISTS (
189- SELECT 1
190- FROM checks
191- WHERE checks .id = playbook_runs .check_id
192- ))
193- -- Note: component_id check omitted (phasing out topology soon)
149+ -- User must have access to the playbook
150+ EXISTS (
151+ SELECT 1
152+ FROM playbooks
153+ WHERE playbooks .id = playbook_runs .playbook_id
194154 )
195- END
155+ AND
156+ -- AND if run has a config_id, user must have access to that config
157+ (playbook_runs .config_id IS NULL OR EXISTS (
158+ SELECT 1
159+ FROM config_items
160+ WHERE config_items .id = playbook_runs .config_id
161+ ))
162+ AND
163+ -- AND if run has a check_id, user must have access to that check (via its canary)
164+ (playbook_runs .check_id IS NULL OR EXISTS (
165+ SELECT 1
166+ FROM checks
167+ WHERE checks .id = playbook_runs .check_id
168+ ))
169+ -- Note: component_id check omitted (phasing out topology soon)
196170 );
197171
198172-- Policy checks
@@ -201,14 +175,12 @@ DROP POLICY IF EXISTS checks_auth ON checks;
201175CREATE POLICY checks_auth ON checks
202176 FOR ALL TO postgrest_api, postgrest_anon
203177 USING (
204- CASE WHEN (SELECT is_rls_disabled()) THEN TRUE
205- ELSE EXISTS (
178+ EXISTS (
206179 -- just leverage the RLS on canaries
207180 SELECT 1
208181 FROM canaries
209182 WHERE canaries .id = checks .canary_id
210183 )
211- END
212184 );
213185
214186-- Policy views
@@ -217,10 +189,7 @@ DROP POLICY IF EXISTS views_auth ON views;
217189CREATE POLICY views_auth ON views
218190 FOR ALL TO postgrest_api, postgrest_anon
219191 USING (
220- CASE WHEN (SELECT is_rls_disabled()) THEN TRUE
221- ELSE
222- (views .__scope && rls_scope_access())
223- END
192+ (views .__scope && rls_scope_access())
224193 );
225194
226195-- Policy view_panels (inherits from parent views table)
@@ -229,13 +198,10 @@ DROP POLICY IF EXISTS view_panels_auth ON view_panels;
229198CREATE POLICY view_panels_auth ON view_panels
230199 FOR ALL TO postgrest_api, postgrest_anon
231200 USING (
232- CASE WHEN (SELECT is_rls_disabled()) THEN TRUE
233- ELSE
234- EXISTS (
235- SELECT 1 FROM views
236- WHERE views .id = view_panels .view_id
237- )
238- END
201+ EXISTS (
202+ SELECT 1 FROM views
203+ WHERE views .id = view_panels .view_id
204+ )
239205 );
240206
241207ALTER VIEW analysis_by_config SET (security_invoker = true);
0 commit comments