18 lines
632 B
SQL
18 lines
632 B
SQL
-- SECURITY FIX: Only service_role should insert audit logs.
|
|
-- The previous policy WITH CHECK (true) allowed any authenticated user to write fake logs.
|
|
|
|
DROP POLICY IF EXISTS "Service role can insert audit logs" ON audit_logs;
|
|
|
|
CREATE POLICY "Only service_role inserts audit logs"
|
|
ON audit_logs
|
|
FOR INSERT
|
|
WITH CHECK (auth.role() = 'service_role');
|
|
|
|
-- Also fix rate_limit_logs which has the same issue
|
|
DROP POLICY IF EXISTS "Service role can insert rate limit logs" ON rate_limit_logs;
|
|
|
|
CREATE POLICY "Only service_role inserts rate limit logs"
|
|
ON rate_limit_logs
|
|
FOR INSERT
|
|
WITH CHECK (auth.role() = 'service_role');
|