fix: split channel_permission_overrides write policies

[riderx]

Summary (AI generated)

• replace the permissive FOR ALL policy on public.channel_permission_overrides with explicit INSERT, UPDATE, and DELETE policies
• keep a single permissive SELECT policy for authenticated to remove the Supabase linter warning and reduce per-query policy evaluation
• add pgTAP coverage that asserts the table policy set and verifies there is only one permissive SELECT path for authenticated

Motivation (AI generated)

channel_permission_overrides_admin_write was defined as FOR ALL, which implicitly applied to SELECT and overlapped with channel_permission_overrides_admin_select. Supabase flags that pattern because multiple permissive policies for the same role and action add unnecessary policy checks on every matching query.

Business Impact (AI generated)

This removes a production schema warning, keeps RLS behavior explicit, and avoids avoidable policy-evaluation overhead on a permission table that is part of RBAC-sensitive permission flows.

Test Plan (AI generated)

• Start the worktree-local Supabase stack with PATH="/tmp/codex-bin:$PATH" bun scripts/supabase-worktree.ts start
• Run PATH="/tmp/codex-bin:$PATH" bunx supabase test db supabase/tests/26_test_rls_policies.sql --workdir /Users/martindonadieu/.codex/worktrees/a5cf/capgo/.context/supabase-worktrees/b701ac6e

Generated with AI

Summary by CodeRabbit

• Chores

  • Reorganized database access control policies for improved granularity and clarity.
  • Updated policy documentation for better maintainability.

• Tests

  • Expanded test coverage for database access control policies.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 68249414-7aa8-4bb3-953e-13ada0c00505

📥 Commits

Reviewing files that changed from the base of the PR and between ebabb47 and b4f290d.

📒 Files selected for processing (2)

• supabase/migrations/20260325045835_split_channel_permission_overrides_write_policies.sql
• supabase/tests/26_test_rls_policies.sql

---

📝 Walkthrough

Walkthrough

This PR refactors write access policies on public.channel_permission_overrides by replacing a single combined write policy with three separate policies for INSERT, UPDATE, and DELETE operations. Each policy maintains identical authorization checks via RBAC permissions. Test coverage is updated to verify the four resulting policies and their selective access patterns.

Changes

Cohort / File(s)	Summary
Database Migration supabase/migrations/20260325045835_split_channel_permission_overrides_write_policies.sql	Drops the unified channel_permission_overrides_admin_write policy and creates three separate policies (admin_insert, admin_update, admin_delete) for authenticated users. All policies share identical authorization logic checking channel_id belongs to an app owned by the authenticated user with app_update_user_roles permission. Adds policy comments.
RLS Policy Tests supabase/tests/26_test_rls_policies.sql	Increases test plan from 37 to 39. Validates four specific policies exist on channel_permission_overrides and confirms only one permissive SELECT path is exposed to authenticated roles.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• feat: RBAC group management #1662: Added the public.channel_permission_overrides table and initial RLS policies; this PR refines the write policy implementation by splitting it into granular operations.

Suggested labels

codex

Poem

🐰 A policy once bold, unified and strong,
Now splits into three, each precise and long—
Insert, update, delete in harmony dance,
RBAC guards each with careful stance! 🔐

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly describes the main change: splitting the channel_permission_overrides write policies from a FOR ALL policy into separate INSERT, UPDATE, and DELETE policies.
Description check	✅ Passed	The description includes a summary of changes and test plan demonstrating the work was tested. Most required sections are present, though screenshots section is appropriately skipped for a backend-only change.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/fix-channel-permission-overrides-rls

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 SQLFluff (4.0.4)

supabase/migrations/20260325045835_split_channel_permission_overrides_write_policies.sql

User Error: No dialect was specified. You must configure a dialect or specify one on the command line using --dialect after the command. Available dialects:
ansi, athena, bigquery, clickhouse, databricks, db2, doris, duckdb, exasol, flink, greenplum, hive, impala, mariadb, materialize, mysql, oracle, postgres, redshift, snowflake, soql, sparksql, sqlite, starrocks, teradata, trino, tsql, vertica

supabase/tests/26_test_rls_policies.sql

User Error: No dialect was specified. You must configure a dialect or specify one on the command line using --dialect after the command. Available dialects:
ansi, athena, bigquery, clickhouse, databricks, db2, doris, duckdb, exasol, flink, greenplum, hive, impala, mariadb, materialize, mysql, oracle, postgres, redshift, snowflake, soql, sparksql, sqlite, starrocks, teradata, trino, tsql, vertica

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud