11 lines
761 B
SQL
11 lines
761 B
SQL
-- Security Fix: Drop the old 3-argument purchase_lead function if it exists
|
|
-- Migration 00010 created purchase_lead(UUID, UUID, INTEGER) with client-controlled price
|
|
-- Migration 00012 created the safe 2-arg version purchase_lead(UUID, UUID)
|
|
-- This migration ensures only the safe version exists
|
|
|
|
-- Drop the old 3-argument function (if it exists)
|
|
-- This prevents any potential exploitation where clients could specify their own price
|
|
DROP FUNCTION IF EXISTS purchase_lead(UUID, UUID, INTEGER);
|
|
|
|
-- Add comment to document the security fix
|
|
COMMENT ON FUNCTION purchase_lead(UUID, UUID) IS 'Secure lead purchase function. Price is determined server-side from leads.final_price. The old 3-arg version with client-controlled pricing was removed for security.'; |