pacnpal/thrilltrack-explorer
1
0
Fork 0
mirror of https://github.com/pacnpal/thrilltrack-explorer.git synced 2025-12-20 09:31:13 -05:00
Code Issues Packages Projects Releases Wiki Activity

Fix: Address security findings

Browse Source
This commit is contained in:
gpt-engineer-app[bot]
2025-10-09 00:34:37 +00:00
parent 10098e3bcc
commit 07f14cdcb5
1 changed files with 16 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
supabase/migrations/20251009003421_0fb9fa16-d2c0-49ea-8fb9-0a948abc05db.sql Normal file
View File

@@ -0,0 +1,16 @@
-- Enable RLS on the filtered_profiles view
ALTER VIEW public.filtered_profiles SET (security_invoker = on);
-- Grant explicit access to the filtered_profiles view
GRANT SELECT ON public.filtered_profiles TO authenticated, anon;
-- Add comment explaining the security model
COMMENT ON VIEW public.filtered_profiles IS
'Privacy-safe profile view that uses can_view_profile_field() to enforce field-level access control.
Sensitive fields (date_of_birth, personal_location, etc.) are conditionally shown based on:
1. User privacy settings in user_preferences table
2. Profile privacy_level (public vs private)
3. Viewer permissions (owner, moderator)
The view filters out banned users unless viewer is owner or moderator.
RLS is enforced at the row level in the WHERE clause.';