|
| 1 | +-- migrate:up |
| 2 | +drop event trigger if exists issue_pg_cron_access; |
| 3 | +drop event trigger if exists issue_pg_net_access; |
| 4 | +drop function if exists extensions.grant_pg_cron_access; |
| 5 | +drop function if exists extensions.grant_pg_net_access; |
| 6 | + |
| 7 | +CREATE OR REPLACE FUNCTION extensions.grant_pg_cron_access() |
| 8 | + RETURNS event_trigger |
| 9 | + LANGUAGE plpgsql |
| 10 | +AS $function$ |
| 11 | +BEGIN |
| 12 | + IF EXISTS ( |
| 13 | + SELECT |
| 14 | + FROM pg_event_trigger_ddl_commands() AS ev |
| 15 | + JOIN pg_extension AS ext |
| 16 | + ON ev.objid = ext.oid |
| 17 | + WHERE ext.extname = 'pg_cron' |
| 18 | + ) |
| 19 | + THEN |
| 20 | + grant usage on schema cron to postgres with grant option; |
| 21 | + |
| 22 | + alter default privileges in schema cron grant all on tables to postgres with grant option; |
| 23 | + alter default privileges in schema cron grant all on functions to postgres with grant option; |
| 24 | + alter default privileges in schema cron grant all on sequences to postgres with grant option; |
| 25 | + |
| 26 | + alter default privileges for user supabase_admin in schema cron grant all |
| 27 | + on sequences to postgres with grant option; |
| 28 | + alter default privileges for user supabase_admin in schema cron grant all |
| 29 | + on tables to postgres with grant option; |
| 30 | + alter default privileges for user supabase_admin in schema cron grant all |
| 31 | + on functions to postgres with grant option; |
| 32 | + |
| 33 | + grant all privileges on all tables in schema cron to postgres with grant option; |
| 34 | + revoke all on table cron.job from postgres; |
| 35 | + grant select on table cron.job to postgres with grant option; |
| 36 | + END IF; |
| 37 | +END; |
| 38 | +$function$; |
| 39 | + |
| 40 | +CREATE OR REPLACE FUNCTION extensions.grant_pg_net_access() |
| 41 | + RETURNS event_trigger |
| 42 | + LANGUAGE plpgsql |
| 43 | +AS $function$ |
| 44 | +BEGIN |
| 45 | + IF EXISTS ( |
| 46 | + SELECT 1 |
| 47 | + FROM pg_event_trigger_ddl_commands() AS ev |
| 48 | + JOIN pg_extension AS ext |
| 49 | + ON ev.objid = ext.oid |
| 50 | + WHERE ext.extname = 'pg_net' |
| 51 | + ) |
| 52 | + THEN |
| 53 | + IF NOT EXISTS ( |
| 54 | + SELECT 1 |
| 55 | + FROM pg_roles |
| 56 | + WHERE rolname = 'supabase_functions_admin' |
| 57 | + ) |
| 58 | + THEN |
| 59 | + CREATE USER supabase_functions_admin NOINHERIT CREATEROLE LOGIN NOREPLICATION; |
| 60 | + END IF; |
| 61 | + |
| 62 | + GRANT USAGE ON SCHEMA net TO supabase_functions_admin, postgres, anon, authenticated, service_role; |
| 63 | + |
| 64 | + IF EXISTS ( |
| 65 | + SELECT FROM pg_extension |
| 66 | + WHERE extname = 'pg_net' |
| 67 | + -- all versions in use on existing projects as of 2025-02-20 |
| 68 | + -- version 0.12.0 onwards don't need these applied |
| 69 | + AND extversion IN ('0.2', '0.6', '0.7', '0.7.1', '0.8', '0.10.0', '0.11.0') |
| 70 | + ) THEN |
| 71 | + ALTER function net.http_get(url text, params jsonb, headers jsonb, timeout_milliseconds integer) SECURITY DEFINER; |
| 72 | + ALTER function net.http_post(url text, body jsonb, params jsonb, headers jsonb, timeout_milliseconds integer) SECURITY DEFINER; |
| 73 | + |
| 74 | + ALTER function net.http_get(url text, params jsonb, headers jsonb, timeout_milliseconds integer) SET search_path = net; |
| 75 | + ALTER function net.http_post(url text, body jsonb, params jsonb, headers jsonb, timeout_milliseconds integer) SET search_path = net; |
| 76 | + |
| 77 | + REVOKE ALL ON FUNCTION net.http_get(url text, params jsonb, headers jsonb, timeout_milliseconds integer) FROM PUBLIC; |
| 78 | + REVOKE ALL ON FUNCTION net.http_post(url text, body jsonb, params jsonb, headers jsonb, timeout_milliseconds integer) FROM PUBLIC; |
| 79 | + |
| 80 | + GRANT EXECUTE ON FUNCTION net.http_get(url text, params jsonb, headers jsonb, timeout_milliseconds integer) TO supabase_functions_admin, postgres, anon, authenticated, service_role; |
| 81 | + GRANT EXECUTE ON FUNCTION net.http_post(url text, body jsonb, params jsonb, headers jsonb, timeout_milliseconds integer) TO supabase_functions_admin, postgres, anon, authenticated, service_role; |
| 82 | + END IF; |
| 83 | + END IF; |
| 84 | +END; |
| 85 | +$function$; |
| 86 | + |
| 87 | +CREATE EVENT TRIGGER issue_pg_cron_access ON ddl_command_end |
| 88 | + WHEN TAG IN ('CREATE EXTENSION') |
| 89 | + EXECUTE FUNCTION extensions.grant_pg_cron_access(); |
| 90 | + |
| 91 | +CREATE EVENT TRIGGER issue_pg_net_access ON ddl_command_end |
| 92 | + WHEN TAG IN ('CREATE EXTENSION') |
| 93 | + EXECUTE FUNCTION extensions.grant_pg_net_access(); |
| 94 | + |
| 95 | +-- migrate:down |
0 commit comments