Private
Public Access
1
0

Phase 2: Enforce Row-Level Security at the PostgreSQL level

- Rewrite rls.ts with withTenant()/withBypassRLS() using parameterized
  set_config() in interactive Prisma transactions (no SQL injection)
- Add FORCE ROW LEVEL SECURITY on all 15 tenant-scoped tables
- Add __bypass__ sentinel and WITH CHECK clauses to every RLS policy
- Explicitly DISABLE RLS on tenants, tenant_hostnames, sessions
- Wrap all API route and page loader queries in withTenant()
- Wrap validateSession() in withBypassRLS() (joins RLS-protected users)
- Keep existing tenantId where-clause filters as optimization layer
- Add postgresql-client to Dockerfile and auto-apply RLS via entrypoint

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Catherine Renelle
2026-02-25 22:54:26 -05:00
parent f6ddfcfc62
commit bd12160ebb
15 changed files with 625 additions and 424 deletions
+52 -46
View File
@@ -1,36 +1,38 @@
import { json, error } from '@sveltejs/kit';
import type { RequestHandler } from './$types.js';
import { prisma } from '$lib/server/db.js';
import { boardSchema } from '$lib/server/validation.js';
import { withTenant } from '$lib/server/rls.js';
// Get single board with all columns and cards
export const GET: RequestHandler = async ({ params, locals }) => {
const tenant = locals.tenant;
if (!tenant) throw error(400, 'Unknown tenant');
const board = await prisma.board.findFirst({
where: { id: params.boardId, tenantId: tenant.id },
include: {
columns: {
orderBy: { position: 'asc' },
include: {
cards: {
where: { archived: false },
orderBy: { position: 'asc' },
include: {
assignees: {
include: { user: { select: { id: true, name: true, avatarUrl: true } } }
},
labels: { include: { tag: true } },
_count: { select: { comments: true, checklists: true, attachments: true } }
const board = await withTenant(tenant.id, async (tx) => {
return tx.board.findFirst({
where: { id: params.boardId, tenantId: tenant.id },
include: {
columns: {
orderBy: { position: 'asc' },
include: {
cards: {
where: { archived: false },
orderBy: { position: 'asc' },
include: {
assignees: {
include: { user: { select: { id: true, name: true, avatarUrl: true } } }
},
labels: { include: { tag: true } },
_count: { select: { comments: true, checklists: true, attachments: true } }
}
}
}
},
members: {
include: { user: { select: { id: true, name: true, email: true, avatarUrl: true } } }
}
},
members: {
include: { user: { select: { id: true, name: true, email: true, avatarUrl: true } } }
}
}
});
});
if (!board) throw error(404, 'Board not found');
@@ -53,27 +55,29 @@ export const PATCH: RequestHandler = async ({ params, request, locals }) => {
if (!tenant) throw error(400, 'Unknown tenant');
if (!locals.user) throw error(401, 'Not authenticated');
const board = await prisma.board.findFirst({
where: { id: params.boardId, tenantId: tenant.id },
include: { members: true }
});
if (!board) throw error(404, 'Board not found');
const member = board.members.find((m) => m.userId === locals.user!.id);
const isAdmin =
locals.user.globalRole === 'SITE_ADMIN' || locals.user.tenantRole === 'ADMIN';
if (!member && !isAdmin) throw error(403, 'Access denied');
if (member && member.role === 'VIEWER') throw error(403, 'Viewers cannot edit boards');
const body = await request.json();
const result = boardSchema.partial().safeParse(body);
if (!result.success) {
return json({ error: result.error.issues[0].message }, { status: 400 });
}
const updated = await prisma.board.update({
where: { id: params.boardId },
data: result.data
const updated = await withTenant(tenant.id, async (tx) => {
const board = await tx.board.findFirst({
where: { id: params.boardId, tenantId: tenant.id },
include: { members: true }
});
if (!board) throw error(404, 'Board not found');
const member = board.members.find((m) => m.userId === locals.user!.id);
const isAdmin =
locals.user!.globalRole === 'SITE_ADMIN' || locals.user!.tenantRole === 'ADMIN';
if (!member && !isAdmin) throw error(403, 'Access denied');
if (member && member.role === 'VIEWER') throw error(403, 'Viewers cannot edit boards');
return tx.board.update({
where: { id: params.boardId },
data: result.data
});
});
return json({ board: updated });
@@ -85,18 +89,20 @@ export const DELETE: RequestHandler = async ({ params, locals }) => {
if (!tenant) throw error(400, 'Unknown tenant');
if (!locals.user) throw error(401, 'Not authenticated');
const board = await prisma.board.findFirst({
where: { id: params.boardId, tenantId: tenant.id },
include: { members: true }
await withTenant(tenant.id, async (tx) => {
const board = await tx.board.findFirst({
where: { id: params.boardId, tenantId: tenant.id },
include: { members: true }
});
if (!board) throw error(404, 'Board not found');
const member = board.members.find((m) => m.userId === locals.user!.id);
const isAdmin =
locals.user!.globalRole === 'SITE_ADMIN' || locals.user!.tenantRole === 'ADMIN';
if (member?.role !== 'OWNER' && !isAdmin) throw error(403, 'Only owners can delete boards');
await tx.board.delete({ where: { id: params.boardId } });
});
if (!board) throw error(404, 'Board not found');
const member = board.members.find((m) => m.userId === locals.user!.id);
const isAdmin =
locals.user.globalRole === 'SITE_ADMIN' || locals.user.tenantRole === 'ADMIN';
if (member?.role !== 'OWNER' && !isAdmin) throw error(403, 'Only owners can delete boards');
await prisma.board.delete({ where: { id: params.boardId } });
return json({ ok: true });
};