pacnpal/thrilltrack-explorer
1
0
Fork 0
mirror of https://github.com/pacnpal/thrilltrack-explorer.git synced 2025-12-25 03:51:13 -05:00
Code Issues Packages Projects Releases Wiki Activity

Fix: Restrict access to profiles table

Browse Source
This commit is contained in:
gpt-engineer-app[bot]
2025-10-08 22:44:23 +00:00
parent 72bfa69139
commit e1615903e6
1 changed files with 21 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
supabase/migrations/20251008224411_663d0a65-d097-436e-8e9c-481cc15e6d11.sql Normal file
View File

@@ -0,0 +1,21 @@
-- Fix profiles table public exposure vulnerability
-- Remove the public access policy that allows unauthenticated users to view profiles
-- Drop the existing public access policy
DROP POLICY IF EXISTS "Public can view non-banned public profiles" ON public.profiles;
-- Create a new policy that requires authentication to view other users' profiles
-- Only show profiles with public privacy level to authenticated users
CREATE POLICY "Authenticated users can view public profiles"
ON public.profiles
FOR SELECT
TO authenticated
USING (
(auth.uid() = user_id)
OR is_moderator(auth.uid())
OR ((privacy_level = 'public') AND (NOT banned))
);
-- Add comment explaining the security rationale
COMMENT ON POLICY "Authenticated users can view public profiles" ON public.profiles IS
'Restricts profile viewing to authenticated users only. Prevents public scraping of user personal information including locations, timezones, bios, and contact details.';