From 4d571e4f12059cc48d3f529b6d05aa8a73247632 Mon Sep 17 00:00:00 2001
From: "gpt-engineer-app[bot]"
 <159125892+gpt-engineer-app[bot]@users.noreply.github.com>
Date: Wed, 5 Nov 2025 19:44:01 +0000
Subject: [PATCH] Fix search path security warning

---
 ...7_7ed2c044-82bb-490d-9c0b-a7eff76ca7bd.sql | 44 +++++++++++++++++++
 1 file changed, 44 insertions(+)
 create mode 100644 supabase/migrations/20251105194347_7ed2c044-82bb-490d-9c0b-a7eff76ca7bd.sql

diff --git a/supabase/migrations/20251105194347_7ed2c044-82bb-490d-9c0b-a7eff76ca7bd.sql b/supabase/migrations/20251105194347_7ed2c044-82bb-490d-9c0b-a7eff76ca7bd.sql
new file mode 100644
index 00000000..15acb170
--- /dev/null
+++ b/supabase/migrations/20251105194347_7ed2c044-82bb-490d-9c0b-a7eff76ca7bd.sql
@@ -0,0 +1,44 @@
+-- Fix search_path security vulnerability in update_content_submissions_updated_at
+-- This addresses the function_search_path_mutable linter warning
+
+DROP FUNCTION IF EXISTS public.update_content_submissions_updated_at() CASCADE;
+
+CREATE OR REPLACE FUNCTION public.update_content_submissions_updated_at()
+RETURNS TRIGGER 
+LANGUAGE plpgsql
+SET search_path = 'public'
+AS $$
+BEGIN
+  -- Only update updated_at if actual content has changed
+  -- Ignore changes to: updated_at, assigned_to, assigned_at, locked_until, priority, review_count, first_reviewed_at, resolved_at, submitted_at
+  IF (
+    NEW.status IS DISTINCT FROM OLD.status OR
+    NEW.reviewer_id IS DISTINCT FROM OLD.reviewer_id OR
+    NEW.reviewer_notes IS DISTINCT FROM OLD.reviewer_notes OR
+    NEW.escalated IS DISTINCT FROM OLD.escalated OR
+    NEW.escalation_reason IS DISTINCT FROM OLD.escalation_reason OR
+    NEW.approval_mode IS DISTINCT FROM OLD.approval_mode OR
+    NEW.user_id IS DISTINCT FROM OLD.user_id OR
+    NEW.submission_type IS DISTINCT FROM OLD.submission_type OR
+    NEW.escalated_by IS DISTINCT FROM OLD.escalated_by OR
+    NEW.escalated_at IS DISTINCT FROM OLD.escalated_at OR
+    NEW.original_submission_id IS DISTINCT FROM OLD.original_submission_id
+  ) THEN
+    NEW.updated_at = NOW();
+  ELSE
+    -- Keep the old updated_at timestamp if only metadata changed
+    NEW.updated_at = OLD.updated_at;
+  END IF;
+  
+  RETURN NEW;
+END;
+$$;
+
+-- Recreate trigger for content_submissions
+CREATE TRIGGER update_content_submissions_updated_at
+  BEFORE UPDATE ON public.content_submissions
+  FOR EACH ROW
+  EXECUTE FUNCTION public.update_content_submissions_updated_at();
+
+COMMENT ON FUNCTION public.update_content_submissions_updated_at() IS 
+  'SECURITY HARDENED: Trigger function to update updated_at timestamp only when meaningful fields change. Includes SET search_path to prevent search path injection attacks.';
\ No newline at end of file