From 21ba87a6641993493fb08bcd97e5da4fdacc37a4 Mon Sep 17 00:00:00 2001
From: "gpt-engineer-app[bot]"
 <159125892+gpt-engineer-app[bot]@users.noreply.github.com>
Date: Sun, 12 Oct 2025 14:07:12 +0000
Subject: [PATCH] Fix SECURITY DEFINER on views

---
 .../20251012140656_6afd3694-2db5-4fb2-be7c-bb4967f62133.sql  | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 supabase/migrations/20251012140656_6afd3694-2db5-4fb2-be7c-bb4967f62133.sql

diff --git a/supabase/migrations/20251012140656_6afd3694-2db5-4fb2-be7c-bb4967f62133.sql b/supabase/migrations/20251012140656_6afd3694-2db5-4fb2-be7c-bb4967f62133.sql
new file mode 100644
index 00000000..dafa0942
--- /dev/null
+++ b/supabase/migrations/20251012140656_6afd3694-2db5-4fb2-be7c-bb4967f62133.sql
@@ -0,0 +1,5 @@
+-- Set filtered_profiles view to use security_invoker
+-- This makes the view execute with the permissions of the invoking user, not the creator
+ALTER VIEW public.filtered_profiles SET (security_invoker = true);
+
+COMMENT ON VIEW public.filtered_profiles IS 'Profile view with field-level privacy controls using security_invoker. Uses security definer functions for granular permission checks but view respects querying user context.';
\ No newline at end of file