mirror of
https://github.com/pacnpal/thrilltrack-explorer.git
synced 2025-12-20 10:31:13 -05:00
21 lines
957 B
SQL
21 lines
957 B
SQL
-- Fix profiles table public exposure vulnerability
|
|
-- Remove the public access policy that allows unauthenticated users to view profiles
|
|
|
|
-- Drop the existing public access policy
|
|
DROP POLICY IF EXISTS "Public can view non-banned public profiles" ON public.profiles;
|
|
|
|
-- Create a new policy that requires authentication to view other users' profiles
|
|
-- Only show profiles with public privacy level to authenticated users
|
|
CREATE POLICY "Authenticated users can view public profiles"
|
|
ON public.profiles
|
|
FOR SELECT
|
|
TO authenticated
|
|
USING (
|
|
(auth.uid() = user_id)
|
|
OR is_moderator(auth.uid())
|
|
OR ((privacy_level = 'public') AND (NOT banned))
|
|
);
|
|
|
|
-- Add comment explaining the security rationale
|
|
COMMENT ON POLICY "Authenticated users can view public profiles" ON public.profiles IS
|
|
'Restricts profile viewing to authenticated users only. Prevents public scraping of user personal information including locations, timezones, bios, and contact details.'; |