Phase 2: Enforce Row-Level Security at the PostgreSQL level
- Rewrite rls.ts with withTenant()/withBypassRLS() using parameterized set_config() in interactive Prisma transactions (no SQL injection) - Add FORCE ROW LEVEL SECURITY on all 15 tenant-scoped tables - Add __bypass__ sentinel and WITH CHECK clauses to every RLS policy - Explicitly DISABLE RLS on tenants, tenant_hostnames, sessions - Wrap all API route and page loader queries in withTenant() - Wrap validateSession() in withBypassRLS() (joins RLS-protected users) - Keep existing tenantId where-clause filters as optimization layer - Add postgresql-client to Dockerfile and auto-apply RLS via entrypoint Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
+210
-40
@@ -1,65 +1,144 @@
|
||||
-- Row-Level Security (RLS) Policies
|
||||
-- Run this after migrations to enable tenant isolation at the DB level.
|
||||
-- Idempotent: safe to re-run on every deploy.
|
||||
|
||||
-- Helper: current tenant context (set via SET LOCAL in Prisma extension)
|
||||
-- Usage: SET LOCAL app.current_tenant_id = '<uuid>';
|
||||
-- Helper: current tenant context (set via set_config() in Prisma transaction)
|
||||
-- Usage: SELECT set_config('app.current_tenant_id', '<uuid>', true);
|
||||
|
||||
-- ─── Enable RLS ──────────────────────────────────────────
|
||||
-- ─── Tables WITHOUT RLS (cross-tenant by design) ──────
|
||||
ALTER TABLE tenants DISABLE ROW LEVEL SECURITY;
|
||||
ALTER TABLE tenant_hostnames DISABLE ROW LEVEL SECURITY;
|
||||
ALTER TABLE sessions DISABLE ROW LEVEL SECURITY;
|
||||
|
||||
-- ─── Enable + Force RLS ────────────────────────────────
|
||||
|
||||
ALTER TABLE users ENABLE ROW LEVEL SECURITY;
|
||||
ALTER TABLE boards ENABLE ROW LEVEL SECURITY;
|
||||
ALTER TABLE board_members ENABLE ROW LEVEL SECURITY;
|
||||
ALTER TABLE columns ENABLE ROW LEVEL SECURITY;
|
||||
ALTER TABLE cards ENABLE ROW LEVEL SECURITY;
|
||||
ALTER TABLE card_assignees ENABLE ROW LEVEL SECURITY;
|
||||
ALTER TABLE tags ENABLE ROW LEVEL SECURITY;
|
||||
ALTER TABLE card_labels ENABLE ROW LEVEL SECURITY;
|
||||
ALTER TABLE categories ENABLE ROW LEVEL SECURITY;
|
||||
ALTER TABLE checklists ENABLE ROW LEVEL SECURITY;
|
||||
ALTER TABLE checklist_items ENABLE ROW LEVEL SECURITY;
|
||||
ALTER TABLE comments ENABLE ROW LEVEL SECURITY;
|
||||
ALTER TABLE attachments ENABLE ROW LEVEL SECURITY;
|
||||
ALTER TABLE activities ENABLE ROW LEVEL SECURITY;
|
||||
ALTER TABLE notifications ENABLE ROW LEVEL SECURITY;
|
||||
ALTER TABLE board_templates ENABLE ROW LEVEL SECURITY;
|
||||
ALTER TABLE users FORCE ROW LEVEL SECURITY;
|
||||
|
||||
-- ─── Tenant-scoped tables (direct tenant_id) ────────────
|
||||
ALTER TABLE boards ENABLE ROW LEVEL SECURITY;
|
||||
ALTER TABLE boards FORCE ROW LEVEL SECURITY;
|
||||
|
||||
ALTER TABLE board_members ENABLE ROW LEVEL SECURITY;
|
||||
ALTER TABLE board_members FORCE ROW LEVEL SECURITY;
|
||||
|
||||
ALTER TABLE columns ENABLE ROW LEVEL SECURITY;
|
||||
ALTER TABLE columns FORCE ROW LEVEL SECURITY;
|
||||
|
||||
ALTER TABLE cards ENABLE ROW LEVEL SECURITY;
|
||||
ALTER TABLE cards FORCE ROW LEVEL SECURITY;
|
||||
|
||||
ALTER TABLE card_assignees ENABLE ROW LEVEL SECURITY;
|
||||
ALTER TABLE card_assignees FORCE ROW LEVEL SECURITY;
|
||||
|
||||
ALTER TABLE tags ENABLE ROW LEVEL SECURITY;
|
||||
ALTER TABLE tags FORCE ROW LEVEL SECURITY;
|
||||
|
||||
ALTER TABLE card_labels ENABLE ROW LEVEL SECURITY;
|
||||
ALTER TABLE card_labels FORCE ROW LEVEL SECURITY;
|
||||
|
||||
ALTER TABLE categories ENABLE ROW LEVEL SECURITY;
|
||||
ALTER TABLE categories FORCE ROW LEVEL SECURITY;
|
||||
|
||||
ALTER TABLE checklists ENABLE ROW LEVEL SECURITY;
|
||||
ALTER TABLE checklists FORCE ROW LEVEL SECURITY;
|
||||
|
||||
ALTER TABLE checklist_items ENABLE ROW LEVEL SECURITY;
|
||||
ALTER TABLE checklist_items FORCE ROW LEVEL SECURITY;
|
||||
|
||||
ALTER TABLE comments ENABLE ROW LEVEL SECURITY;
|
||||
ALTER TABLE comments FORCE ROW LEVEL SECURITY;
|
||||
|
||||
ALTER TABLE attachments ENABLE ROW LEVEL SECURITY;
|
||||
ALTER TABLE attachments FORCE ROW LEVEL SECURITY;
|
||||
|
||||
ALTER TABLE activities ENABLE ROW LEVEL SECURITY;
|
||||
ALTER TABLE activities FORCE ROW LEVEL SECURITY;
|
||||
|
||||
ALTER TABLE notifications ENABLE ROW LEVEL SECURITY;
|
||||
ALTER TABLE notifications FORCE ROW LEVEL SECURITY;
|
||||
|
||||
ALTER TABLE board_templates ENABLE ROW LEVEL SECURITY;
|
||||
ALTER TABLE board_templates FORCE ROW LEVEL SECURITY;
|
||||
|
||||
-- ─── Tenant-scoped tables (direct tenant_id) ──────────
|
||||
|
||||
-- Users
|
||||
DROP POLICY IF EXISTS users_tenant_isolation ON users;
|
||||
CREATE POLICY users_tenant_isolation ON users
|
||||
USING (tenant_id::text = current_setting('app.current_tenant_id', true));
|
||||
USING (
|
||||
current_setting('app.current_tenant_id', true) = '__bypass__'
|
||||
OR tenant_id::text = current_setting('app.current_tenant_id', true)
|
||||
)
|
||||
WITH CHECK (
|
||||
current_setting('app.current_tenant_id', true) = '__bypass__'
|
||||
OR tenant_id::text = current_setting('app.current_tenant_id', true)
|
||||
);
|
||||
|
||||
-- Boards
|
||||
DROP POLICY IF EXISTS boards_tenant_isolation ON boards;
|
||||
CREATE POLICY boards_tenant_isolation ON boards
|
||||
USING (tenant_id::text = current_setting('app.current_tenant_id', true));
|
||||
USING (
|
||||
current_setting('app.current_tenant_id', true) = '__bypass__'
|
||||
OR tenant_id::text = current_setting('app.current_tenant_id', true)
|
||||
)
|
||||
WITH CHECK (
|
||||
current_setting('app.current_tenant_id', true) = '__bypass__'
|
||||
OR tenant_id::text = current_setting('app.current_tenant_id', true)
|
||||
);
|
||||
|
||||
-- Tags
|
||||
DROP POLICY IF EXISTS tags_tenant_isolation ON tags;
|
||||
CREATE POLICY tags_tenant_isolation ON tags
|
||||
USING (tenant_id::text = current_setting('app.current_tenant_id', true));
|
||||
USING (
|
||||
current_setting('app.current_tenant_id', true) = '__bypass__'
|
||||
OR tenant_id::text = current_setting('app.current_tenant_id', true)
|
||||
)
|
||||
WITH CHECK (
|
||||
current_setting('app.current_tenant_id', true) = '__bypass__'
|
||||
OR tenant_id::text = current_setting('app.current_tenant_id', true)
|
||||
);
|
||||
|
||||
-- Categories
|
||||
DROP POLICY IF EXISTS categories_tenant_isolation ON categories;
|
||||
CREATE POLICY categories_tenant_isolation ON categories
|
||||
USING (tenant_id::text = current_setting('app.current_tenant_id', true));
|
||||
USING (
|
||||
current_setting('app.current_tenant_id', true) = '__bypass__'
|
||||
OR tenant_id::text = current_setting('app.current_tenant_id', true)
|
||||
)
|
||||
WITH CHECK (
|
||||
current_setting('app.current_tenant_id', true) = '__bypass__'
|
||||
OR tenant_id::text = current_setting('app.current_tenant_id', true)
|
||||
);
|
||||
|
||||
-- Board Templates (null tenant_id = system template, visible to all)
|
||||
DROP POLICY IF EXISTS board_templates_tenant_isolation ON board_templates;
|
||||
CREATE POLICY board_templates_tenant_isolation ON board_templates
|
||||
USING (
|
||||
tenant_id IS NULL
|
||||
current_setting('app.current_tenant_id', true) = '__bypass__'
|
||||
OR tenant_id IS NULL
|
||||
OR tenant_id::text = current_setting('app.current_tenant_id', true)
|
||||
)
|
||||
WITH CHECK (
|
||||
current_setting('app.current_tenant_id', true) = '__bypass__'
|
||||
OR tenant_id IS NULL
|
||||
OR tenant_id::text = current_setting('app.current_tenant_id', true)
|
||||
);
|
||||
|
||||
-- ─── Board-scoped tables (via join to boards) ───────────
|
||||
-- ─── Board-scoped tables (via join to boards) ─────────
|
||||
|
||||
-- Board Members
|
||||
DROP POLICY IF EXISTS board_members_tenant_isolation ON board_members;
|
||||
CREATE POLICY board_members_tenant_isolation ON board_members
|
||||
USING (
|
||||
board_id IN (
|
||||
current_setting('app.current_tenant_id', true) = '__bypass__'
|
||||
OR board_id IN (
|
||||
SELECT id FROM boards
|
||||
WHERE tenant_id::text = current_setting('app.current_tenant_id', true)
|
||||
)
|
||||
)
|
||||
WITH CHECK (
|
||||
current_setting('app.current_tenant_id', true) = '__bypass__'
|
||||
OR board_id IN (
|
||||
SELECT id FROM boards
|
||||
WHERE tenant_id::text = current_setting('app.current_tenant_id', true)
|
||||
)
|
||||
@@ -69,7 +148,15 @@ CREATE POLICY board_members_tenant_isolation ON board_members
|
||||
DROP POLICY IF EXISTS columns_tenant_isolation ON columns;
|
||||
CREATE POLICY columns_tenant_isolation ON columns
|
||||
USING (
|
||||
board_id IN (
|
||||
current_setting('app.current_tenant_id', true) = '__bypass__'
|
||||
OR board_id IN (
|
||||
SELECT id FROM boards
|
||||
WHERE tenant_id::text = current_setting('app.current_tenant_id', true)
|
||||
)
|
||||
)
|
||||
WITH CHECK (
|
||||
current_setting('app.current_tenant_id', true) = '__bypass__'
|
||||
OR board_id IN (
|
||||
SELECT id FROM boards
|
||||
WHERE tenant_id::text = current_setting('app.current_tenant_id', true)
|
||||
)
|
||||
@@ -79,7 +166,15 @@ CREATE POLICY columns_tenant_isolation ON columns
|
||||
DROP POLICY IF EXISTS activities_tenant_isolation ON activities;
|
||||
CREATE POLICY activities_tenant_isolation ON activities
|
||||
USING (
|
||||
board_id IN (
|
||||
current_setting('app.current_tenant_id', true) = '__bypass__'
|
||||
OR board_id IN (
|
||||
SELECT id FROM boards
|
||||
WHERE tenant_id::text = current_setting('app.current_tenant_id', true)
|
||||
)
|
||||
)
|
||||
WITH CHECK (
|
||||
current_setting('app.current_tenant_id', true) = '__bypass__'
|
||||
OR board_id IN (
|
||||
SELECT id FROM boards
|
||||
WHERE tenant_id::text = current_setting('app.current_tenant_id', true)
|
||||
)
|
||||
@@ -91,7 +186,16 @@ CREATE POLICY activities_tenant_isolation ON activities
|
||||
DROP POLICY IF EXISTS cards_tenant_isolation ON cards;
|
||||
CREATE POLICY cards_tenant_isolation ON cards
|
||||
USING (
|
||||
column_id IN (
|
||||
current_setting('app.current_tenant_id', true) = '__bypass__'
|
||||
OR column_id IN (
|
||||
SELECT c.id FROM columns c
|
||||
JOIN boards b ON c.board_id = b.id
|
||||
WHERE b.tenant_id::text = current_setting('app.current_tenant_id', true)
|
||||
)
|
||||
)
|
||||
WITH CHECK (
|
||||
current_setting('app.current_tenant_id', true) = '__bypass__'
|
||||
OR column_id IN (
|
||||
SELECT c.id FROM columns c
|
||||
JOIN boards b ON c.board_id = b.id
|
||||
WHERE b.tenant_id::text = current_setting('app.current_tenant_id', true)
|
||||
@@ -102,7 +206,17 @@ CREATE POLICY cards_tenant_isolation ON cards
|
||||
DROP POLICY IF EXISTS card_assignees_tenant_isolation ON card_assignees;
|
||||
CREATE POLICY card_assignees_tenant_isolation ON card_assignees
|
||||
USING (
|
||||
card_id IN (
|
||||
current_setting('app.current_tenant_id', true) = '__bypass__'
|
||||
OR card_id IN (
|
||||
SELECT ca.id FROM cards ca
|
||||
JOIN columns c ON ca.column_id = c.id
|
||||
JOIN boards b ON c.board_id = b.id
|
||||
WHERE b.tenant_id::text = current_setting('app.current_tenant_id', true)
|
||||
)
|
||||
)
|
||||
WITH CHECK (
|
||||
current_setting('app.current_tenant_id', true) = '__bypass__'
|
||||
OR card_id IN (
|
||||
SELECT ca.id FROM cards ca
|
||||
JOIN columns c ON ca.column_id = c.id
|
||||
JOIN boards b ON c.board_id = b.id
|
||||
@@ -114,7 +228,17 @@ CREATE POLICY card_assignees_tenant_isolation ON card_assignees
|
||||
DROP POLICY IF EXISTS card_labels_tenant_isolation ON card_labels;
|
||||
CREATE POLICY card_labels_tenant_isolation ON card_labels
|
||||
USING (
|
||||
card_id IN (
|
||||
current_setting('app.current_tenant_id', true) = '__bypass__'
|
||||
OR card_id IN (
|
||||
SELECT ca.id FROM cards ca
|
||||
JOIN columns c ON ca.column_id = c.id
|
||||
JOIN boards b ON c.board_id = b.id
|
||||
WHERE b.tenant_id::text = current_setting('app.current_tenant_id', true)
|
||||
)
|
||||
)
|
||||
WITH CHECK (
|
||||
current_setting('app.current_tenant_id', true) = '__bypass__'
|
||||
OR card_id IN (
|
||||
SELECT ca.id FROM cards ca
|
||||
JOIN columns c ON ca.column_id = c.id
|
||||
JOIN boards b ON c.board_id = b.id
|
||||
@@ -126,7 +250,17 @@ CREATE POLICY card_labels_tenant_isolation ON card_labels
|
||||
DROP POLICY IF EXISTS checklists_tenant_isolation ON checklists;
|
||||
CREATE POLICY checklists_tenant_isolation ON checklists
|
||||
USING (
|
||||
card_id IN (
|
||||
current_setting('app.current_tenant_id', true) = '__bypass__'
|
||||
OR card_id IN (
|
||||
SELECT ca.id FROM cards ca
|
||||
JOIN columns c ON ca.column_id = c.id
|
||||
JOIN boards b ON c.board_id = b.id
|
||||
WHERE b.tenant_id::text = current_setting('app.current_tenant_id', true)
|
||||
)
|
||||
)
|
||||
WITH CHECK (
|
||||
current_setting('app.current_tenant_id', true) = '__bypass__'
|
||||
OR card_id IN (
|
||||
SELECT ca.id FROM cards ca
|
||||
JOIN columns c ON ca.column_id = c.id
|
||||
JOIN boards b ON c.board_id = b.id
|
||||
@@ -138,7 +272,18 @@ CREATE POLICY checklists_tenant_isolation ON checklists
|
||||
DROP POLICY IF EXISTS checklist_items_tenant_isolation ON checklist_items;
|
||||
CREATE POLICY checklist_items_tenant_isolation ON checklist_items
|
||||
USING (
|
||||
checklist_id IN (
|
||||
current_setting('app.current_tenant_id', true) = '__bypass__'
|
||||
OR checklist_id IN (
|
||||
SELECT ch.id FROM checklists ch
|
||||
JOIN cards ca ON ch.card_id = ca.id
|
||||
JOIN columns c ON ca.column_id = c.id
|
||||
JOIN boards b ON c.board_id = b.id
|
||||
WHERE b.tenant_id::text = current_setting('app.current_tenant_id', true)
|
||||
)
|
||||
)
|
||||
WITH CHECK (
|
||||
current_setting('app.current_tenant_id', true) = '__bypass__'
|
||||
OR checklist_id IN (
|
||||
SELECT ch.id FROM checklists ch
|
||||
JOIN cards ca ON ch.card_id = ca.id
|
||||
JOIN columns c ON ca.column_id = c.id
|
||||
@@ -151,7 +296,17 @@ CREATE POLICY checklist_items_tenant_isolation ON checklist_items
|
||||
DROP POLICY IF EXISTS comments_tenant_isolation ON comments;
|
||||
CREATE POLICY comments_tenant_isolation ON comments
|
||||
USING (
|
||||
card_id IN (
|
||||
current_setting('app.current_tenant_id', true) = '__bypass__'
|
||||
OR card_id IN (
|
||||
SELECT ca.id FROM cards ca
|
||||
JOIN columns c ON ca.column_id = c.id
|
||||
JOIN boards b ON c.board_id = b.id
|
||||
WHERE b.tenant_id::text = current_setting('app.current_tenant_id', true)
|
||||
)
|
||||
)
|
||||
WITH CHECK (
|
||||
current_setting('app.current_tenant_id', true) = '__bypass__'
|
||||
OR card_id IN (
|
||||
SELECT ca.id FROM cards ca
|
||||
JOIN columns c ON ca.column_id = c.id
|
||||
JOIN boards b ON c.board_id = b.id
|
||||
@@ -163,7 +318,17 @@ CREATE POLICY comments_tenant_isolation ON comments
|
||||
DROP POLICY IF EXISTS attachments_tenant_isolation ON attachments;
|
||||
CREATE POLICY attachments_tenant_isolation ON attachments
|
||||
USING (
|
||||
card_id IN (
|
||||
current_setting('app.current_tenant_id', true) = '__bypass__'
|
||||
OR card_id IN (
|
||||
SELECT ca.id FROM cards ca
|
||||
JOIN columns c ON ca.column_id = c.id
|
||||
JOIN boards b ON c.board_id = b.id
|
||||
WHERE b.tenant_id::text = current_setting('app.current_tenant_id', true)
|
||||
)
|
||||
)
|
||||
WITH CHECK (
|
||||
current_setting('app.current_tenant_id', true) = '__bypass__'
|
||||
OR card_id IN (
|
||||
SELECT ca.id FROM cards ca
|
||||
JOIN columns c ON ca.column_id = c.id
|
||||
JOIN boards b ON c.board_id = b.id
|
||||
@@ -171,17 +336,22 @@ CREATE POLICY attachments_tenant_isolation ON attachments
|
||||
)
|
||||
);
|
||||
|
||||
-- ─── User-scoped tables ─────────────────────────────────
|
||||
-- ─── User-scoped tables ───────────────────────────────
|
||||
|
||||
-- Notifications
|
||||
DROP POLICY IF EXISTS notifications_tenant_isolation ON notifications;
|
||||
CREATE POLICY notifications_tenant_isolation ON notifications
|
||||
USING (
|
||||
user_id IN (
|
||||
current_setting('app.current_tenant_id', true) = '__bypass__'
|
||||
OR user_id IN (
|
||||
SELECT id FROM users
|
||||
WHERE tenant_id::text = current_setting('app.current_tenant_id', true)
|
||||
)
|
||||
)
|
||||
WITH CHECK (
|
||||
current_setting('app.current_tenant_id', true) = '__bypass__'
|
||||
OR user_id IN (
|
||||
SELECT id FROM users
|
||||
WHERE tenant_id::text = current_setting('app.current_tenant_id', true)
|
||||
)
|
||||
);
|
||||
|
||||
-- Sessions (no RLS - cross-tenant by design for session validation)
|
||||
-- Sessions are validated in application code with tenant check
|
||||
|
||||
Reference in New Issue
Block a user