fix: exclude PostGIS system tables from RLS check#157
Open
adithyankoonoth wants to merge 2 commits into
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What kind of change does this PR introduce?
Bug fix
What is the current behavior?
The security advisor flags public.spatial_ref_sys as a critical RLS
issue when the PostGIS extension is enabled. This is a false positive
because spatial_ref_sys is a PostGIS system table containing only
coordinate reference system definitions — no user data.
When users try to resolve it by running:
ALTER TABLE public.spatial_ref_sys ENABLE ROW LEVEL SECURITY
They get: ERROR: 42501: must be owner of table spatial_ref_sys
So the warning cannot be dismissed and users are left with a
permanent critical security alert they cannot fix.
Fixes #125
What is the new behavior?
Known PostGIS system tables (spatial_ref_sys, geometry_columns,
geography_columns, raster_columns, raster_overviews) are excluded
from the RLS check. Users with PostGIS enabled will no longer see
a false positive critical security warning for these tables.
Additional context
PostGIS creates these tables in the public schema by default and
does not support SET SCHEMA, so moving them to a different schema
is also not possible. Excluding them by name is the correct fix.
Referenced issue: #125