Skip to content

fix(rbac): block preview public channels#2713

Draft
riderx wants to merge 1 commit into
mainfrom
codex/guard-app-preview-public-channel
Draft

fix(rbac): block preview public channels#2713
riderx wants to merge 1 commit into
mainfrom
codex/guard-app-preview-public-channel

Conversation

@riderx

@riderx riderx commented Jul 17, 2026

Copy link
Copy Markdown
Member

Summary

  • Require app.update_settings to create a public/default channel.
  • Keep App Preview keys able to create private PR channels and atomically upload/promote their bundles.
  • Enforce the same boundary for direct CLI table writes and the raw-SQL create-and-promote path.

RLS execution model

  • Surface: public.channels INSERT WITH CHECK; it runs once per inserted channel row from the CLI/PostgREST path.
  • Existing app.create_channel remains required for every new channel.
  • A row with public = true additionally requires the existing, caller-scoped app.update_settings RBAC check on the row owner app. App Preview does not receive that permission.
  • The policy adds no tables, joins, or new helper functions. It uses the existing RBAC request helper with the insert row indexed owner_org and app_id values.
  • The endpoint atomic create-and-promote transaction uses a direct PostgreSQL client and therefore bypasses RLS; it performs the matching app.update_settings guard before inserting.

EXPLAIN and integration follow-up

  • Local EXPLAIN (ANALYZE, BUFFERS) and the affected lifecycle integration test are pending: the local Supabase runtime cannot start because Docker/Dory is unavailable (Cannot connect to .../.dory/dory.sock).
  • Before this leaves draft, collect policy-plan evidence for App Preview non-public insert, App Preview public insert denial, and an app-admin public insert. CI must also pass the isolated lifecycle test.

Validation

  • bun lint
  • bun lint:backend
  • Focused ESLint for changed tests
  • bun run typecheck:backend
  • bunx vitest run tests/channel-post.unit.test.ts - 16 passed
  • bun test:unit - 160 files / 1,065 tests passed

@riderx
riderx deployed to deepsec-pr July 17, 2026 13:57 — with GitHub Actions Active
@coderabbitai

coderabbitai Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 165deb39-7611-4555-b7e0-d3a019535b09

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review

Comment @coderabbitai help to get the list of available commands.

@codspeed-hq

codspeed-hq Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

Merging this PR will not alter performance

✅ 43 untouched benchmarks
⏩ 2 skipped benchmarks1


Comparing codex/guard-app-preview-public-channel (749e0f2) with main (0edae7f)

Open in CodSpeed

Footnotes

  1. 2 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports.

@sonarqubecloud

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant