Skip to content

Harden public catalog RLS boundaries#192

Open
zaixincheng174-ai wants to merge 1 commit into
SebastienGosa:mainfrom
zaixincheng174-ai:codex/catalog-rls-100
Open

Harden public catalog RLS boundaries#192
zaixincheng174-ai wants to merge 1 commit into
SebastienGosa:mainfrom
zaixincheng174-ai:codex/catalog-rls-100

Conversation

@zaixincheng174-ai
Copy link
Copy Markdown

@zaixincheng174-ai zaixincheng174-ai commented May 12, 2026

Summary

  • enable RLS on public catalog tables that can contain organization-scoped B2B rows (authors, books, translations, files, ISBNs, categories, and book-category links)
  • allow direct client reads only for the public catalog (organization_id IS NULL) while leaving catalog writes to server/service-role paths
  • make catalog views security-invoker and filter catalog dashboards to public-catalog books so future tenant rows are not exposed through views

Security rationale

authors.organization_id and books.organization_id are documented as NULL = public catalog; set for B2B tenants. Without RLS, any anon/authenticated Supabase client with table access can read organization-scoped catalog rows, and v_book_catalog can expose them through the public catalog view. This patch keeps public-domain catalog reads working while preventing future B2B catalog data from becoming public by default.

Validation

  • git diff --check

Not run

  • Runtime schema apply: local environment has no docker or psql available.
  • pnpm --filter @librarfree/db typecheck: blocked because node_modules is missing and tsc is not installed in this checkout.

/claim #100

This was referenced May 12, 2026
Open
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@zaixincheng174-ai