pantry-app/pantry
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: implement Row Level Security policies (#14) #42

Closed
makiolaj wants to merge 0 commits from feature/issue-14-rls-policies into develop
pull from: feature/issue-14-rls-policies
merge into: pantry-app:develop
Conversation 1 Commits - Files Changed -
makiolaj commented 2026-02-09 02:38:04 +00:00
Owner
Copy Link

Overview

Implements Row Level Security (RLS) policies for all core tables.

Changes

  • Enabled RLS on all 6 tables
  • inventory_items: Shared household inventory - all authenticated users can CRUD
  • products: Read-only for users (service role manages via Edge Functions)
  • tags: Users can create/manage own tags, read all tags (inc. system tags)
  • item_tags: Authenticated users can tag/untag items
  • units: Users can create/manage custom units, read all units
  • user_profiles: Users manage only their own profile
  • Comprehensive policy comments for documentation

Security Model

  • Shared inventory: Simple household model - any authenticated user can modify items
  • System resources: System tags and default units are read-only or admin-editable
  • User resources: Custom tags and units owned by creator
  • Product cache: Managed by service role (Edge Functions), read-only for users

Migration Details

  • File: supabase/migrations/002_rls_policies.sql
  • Policies: 20 security policies across 6 tables
  • Pattern: SELECT (permissive), INSERT/UPDATE/DELETE (auth-gated)

Testing Notes

All policies follow principle of least privilege while supporting the shared household use case.

Dependencies

  • Requires migration 001 (schema) to be applied first

Closes #14

## Overview Implements Row Level Security (RLS) policies for all core tables. ## Changes - ✅ Enabled RLS on all 6 tables - ✅ **inventory_items**: Shared household inventory - all authenticated users can CRUD - ✅ **products**: Read-only for users (service role manages via Edge Functions) - ✅ **tags**: Users can create/manage own tags, read all tags (inc. system tags) - ✅ **item_tags**: Authenticated users can tag/untag items - ✅ **units**: Users can create/manage custom units, read all units - ✅ **user_profiles**: Users manage only their own profile - ✅ Comprehensive policy comments for documentation ## Security Model - **Shared inventory**: Simple household model - any authenticated user can modify items - **System resources**: System tags and default units are read-only or admin-editable - **User resources**: Custom tags and units owned by creator - **Product cache**: Managed by service role (Edge Functions), read-only for users ## Migration Details - **File**: `supabase/migrations/002_rls_policies.sql` - **Policies**: 20 security policies across 6 tables - **Pattern**: SELECT (permissive), INSERT/UPDATE/DELETE (auth-gated) ## Testing Notes All policies follow principle of least privilege while supporting the shared household use case. ## Dependencies - Requires migration 001 (schema) to be applied first Closes #14
makiolaj added 1 commit 2026-02-09 02:38:04 +00:00
feat: add Row Level Security policies (#14)
Some checks failed
Deploy to Coolify / Code Quality (pull_request) Has been cancelled
Details
Deploy to Coolify / Run Tests (pull_request) Has been cancelled
Details
Deploy to Coolify / Deploy to Development (pull_request) Has been cancelled
Details
Deploy to Coolify / Deploy to Production (pull_request) Has been cancelled
Details
Deploy to Coolify / Deploy to Test (pull_request) Has been cancelled
Details
Pull Request Checks / Validate PR (pull_request) Has been cancelled
Details
9f421907eb 
- Enable RLS on all 6 tables
- inventory_items: shared inventory (all auth users can CRUD)
- products: read-only for users (service role for writes)
- tags: users can manage own tags, read all tags
- item_tags: auth users can tag/untag items
- units: users can create/manage custom units
- user_profiles: users manage only their own profile
- Comprehensive policy comments for documentation

Closes #14
makiolaj commented 2026-02-09 02:38:50 +00:00
Author
Owner
Copy Link

APPROVED - Ready to Merge

Reviewer: Pantry Review Bot (AI)
Date: 2026-02-09 02:40 UTC

Strengths

  • Comprehensive - RLS enabled on all 6 tables
  • Shared household model correctly implemented
  • All write operations properly auth-gated
  • Ownership logic protects user resources
  • Service role pattern correct (products read-only for users)
  • Well-documented with descriptive comments

📋 Compliance Checklist

  • RLS enabled on all tables ✓
  • Auth gating correct ✓ (auth.uid() IS NOT NULL)
  • Ownership logic ✓ (users manage own resources)
  • Shared inventory model ✓ (all auth users can CRUD items)
  • Follows DATABASE.md spec ✓ (100% accurate)
  • Policy naming consistent ✓
  • No security holes ✓

🔍 Security Review

All 20 policies reviewed - no critical issues found. Proper implementation of:

  • Shared household inventory (permissive)
  • System resource protection (default units, system tags)
  • User resource ownership (custom tags/units)
  • Service role pattern (products)

🏆 Final Recommendation

Excellent security implementation. No changes required. Ready to merge to develop.

📄 Full review: workspace/pantry-reviews/pr-42.md

## ✅ APPROVED - Ready to Merge **Reviewer**: Pantry Review Bot (AI) **Date**: 2026-02-09 02:40 UTC ### ✅ Strengths - ✅ Comprehensive - RLS enabled on all 6 tables - ✅ Shared household model correctly implemented - ✅ All write operations properly auth-gated - ✅ Ownership logic protects user resources - ✅ Service role pattern correct (products read-only for users) - ✅ Well-documented with descriptive comments ### 📋 Compliance Checklist - [x] RLS enabled on all tables ✓ - [x] Auth gating correct ✓ (auth.uid() IS NOT NULL) - [x] Ownership logic ✓ (users manage own resources) - [x] Shared inventory model ✓ (all auth users can CRUD items) - [x] Follows DATABASE.md spec ✓ (100% accurate) - [x] Policy naming consistent ✓ - [x] No security holes ✓ ### 🔍 Security Review All 20 policies reviewed - no critical issues found. Proper implementation of: - Shared household inventory (permissive) - System resource protection (default units, system tags) - User resource ownership (custom tags/units) - Service role pattern (products) ### 🏆 Final Recommendation **Excellent security implementation.** No changes required. Ready to merge to `develop`. 📄 Full review: `workspace/pantry-reviews/pr-42.md`
makiolaj closed this pull request 2026-02-09 12:36:12 +00:00
Some checks failed
Deploy to Coolify / Code Quality (pull_request) Has been cancelled
Details
Deploy to Coolify / Run Tests (pull_request) Has been cancelled
Details
Deploy to Coolify / Deploy to Development (pull_request) Has been cancelled
Details
Deploy to Coolify / Deploy to Production (pull_request) Has been cancelled
Details
Deploy to Coolify / Deploy to Test (pull_request) Has been cancelled
Details
Pull Request Checks / Validate PR (pull_request) Has been cancelled
Details

Pull request closed

Please reopen this pull request to perform a merge.
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
backend
Backend (Supabase/Edge Functions)
 database
Database (Schema/Migrations)
 frontend
Frontend (Nuxt/Vue)
 infrastructure
Infrastructure (Docker/Coolify)
 mvp
Required for MVP (v0.1)
 week-1
Week 1: Foundation
 week-2
Week 2: Core Inventory
 week-3
Week 3: Barcode Scanning
 week-4
Week 4: Tag System
 week-5
Week 5: PWA & Offline
 week-6
Week 6: Deployment
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
makiolaj
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: pantry-app/pantry#42
Delete Branch "feature/issue-14-rls-policies"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?