@accounter/server
Version:
Accounter GraphQL server
26 lines (25 loc) • 1.14 kB
TypeScript
import { sql } from 'slonik';
/**
* Pin DELETE operations to the single write-target business.
*
* The previous migration (rls-multi-business-scope) replaced the read-side
* USING predicate with `owner_id = ANY(get_current_business_scope())`.
* PostgreSQL's DELETE command uses only USING (not WITH CHECK), so that change
* inadvertently widened the delete envelope to every business in the read
* scope — not just the explicit write target.
*
* This migration adds an AS RESTRICTIVE policy for DELETE on every
* tenant-isolated table. A RESTRICTIVE policy ANDs with permissive ones, so a
* DELETE row must satisfy BOTH the permissive USING (in scope) AND this
* restriction (= write target). Net effect: only rows owned by the current
* write-target business can be deleted — the same guarantee that existed before
* the multi-business read scope was introduced.
*/
declare const _default: {
name: string;
run: ({ connection }: {
sql: typeof sql.unsafe;
connection: import("slonik").DatabaseTransactionConnection | import("slonik").DatabasePool;
}) => Promise<void>;
};
export default _default;