From e89b263eee013f37362b43220417aeac58f91ef4 Mon Sep 17 00:00:00 2001 From: Chris Gwilliams <517923+encima@users.noreply.github.com> Date: Fri, 30 Jan 2026 13:32:43 +0200 Subject: [PATCH 1/4] fix: load safeupdate but disable for all but Data API --- .../20260130074514_load_disable_pg_safeupdate.sql | 8 ++++++++ nix/tests/expected/pg-safeupdate.out | 5 +++++ nix/tests/expected/roles.out | 2 +- nix/tests/sql/pg-safeupdate.sql | 8 ++++++++ 4 files changed, 22 insertions(+), 1 deletion(-) create mode 100644 migrations/db/migrations/20260130074514_load_disable_pg_safeupdate.sql diff --git a/migrations/db/migrations/20260130074514_load_disable_pg_safeupdate.sql b/migrations/db/migrations/20260130074514_load_disable_pg_safeupdate.sql new file mode 100644 index 000000000..2f89dc6d2 --- /dev/null +++ b/migrations/db/migrations/20260130074514_load_disable_pg_safeupdate.sql @@ -0,0 +1,8 @@ +-- migrate:up +ALTER ROLE authenticated SET session_preload_libraries = 'safeupdate'; +load 'safeupdate'; + +SET safeupdate.enabled=0; + +-- migrate:down + diff --git a/nix/tests/expected/pg-safeupdate.out b/nix/tests/expected/pg-safeupdate.out index f9100116a..0d17924d4 100644 --- a/nix/tests/expected/pg-safeupdate.out +++ b/nix/tests/expected/pg-safeupdate.out @@ -8,5 +8,10 @@ create table v.foo( update v.foo set val = 'bar'; ERROR: UPDATE requires a WHERE clause +grant all on schema v to authenticated; +set role authenticated; +delete from v.foo; +ERROR: DELETE requires a WHERE clause +reset role; drop schema v cascade; NOTICE: drop cascades to table v.foo diff --git a/nix/tests/expected/roles.out b/nix/tests/expected/roles.out index c4e25b61b..0dba360cb 100644 --- a/nix/tests/expected/roles.out +++ b/nix/tests/expected/roles.out @@ -63,7 +63,7 @@ order by rolname; rolname | rolconfig ----------------------------+--------------------------------------------------------------------------------- anon | {statement_timeout=3s} - authenticated | {statement_timeout=8s} + authenticated | {statement_timeout=8s,session_preload_libraries=safeupdate} authenticator | {session_preload_libraries=safeupdate,statement_timeout=8s,lock_timeout=8s} dashboard_user | pg_checkpoint | diff --git a/nix/tests/sql/pg-safeupdate.sql b/nix/tests/sql/pg-safeupdate.sql index 790ec79fa..6a7946e23 100644 --- a/nix/tests/sql/pg-safeupdate.sql +++ b/nix/tests/sql/pg-safeupdate.sql @@ -12,4 +12,12 @@ create table v.foo( update v.foo set val = 'bar'; +grant all on schema v to authenticated; +set role authenticated; + +delete from v.foo; +reset role; drop schema v cascade; + + + From ea2bb428848f891d2e35c1fe929048638af8928a Mon Sep 17 00:00:00 2001 From: Chris Gwilliams <517923+encima@users.noreply.github.com> Date: Fri, 30 Jan 2026 16:34:43 +0200 Subject: [PATCH 2/4] fix: add anon role to safeupdate enabled automatically --- .../db/migrations/20260130074514_load_disable_pg_safeupdate.sql | 1 + 1 file changed, 1 insertion(+) diff --git a/migrations/db/migrations/20260130074514_load_disable_pg_safeupdate.sql b/migrations/db/migrations/20260130074514_load_disable_pg_safeupdate.sql index 2f89dc6d2..3b662c9c5 100644 --- a/migrations/db/migrations/20260130074514_load_disable_pg_safeupdate.sql +++ b/migrations/db/migrations/20260130074514_load_disable_pg_safeupdate.sql @@ -1,5 +1,6 @@ -- migrate:up ALTER ROLE authenticated SET session_preload_libraries = 'safeupdate'; +ALTER ROLE anon SET session_preload_libraries = 'safeupdate'; load 'safeupdate'; SET safeupdate.enabled=0; From 44c79c21a8447be78909c36d64a466e360cfa9af Mon Sep 17 00:00:00 2001 From: Chris Gwilliams <517923+encima@users.noreply.github.com> Date: Fri, 30 Jan 2026 16:51:33 +0200 Subject: [PATCH 3/4] add initialScript to pg-safeupdate test for user creation --- nix/ext/tests/pg_safeupdate.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/nix/ext/tests/pg_safeupdate.nix b/nix/ext/tests/pg_safeupdate.nix index 4f168f8b0..abc34d646 100644 --- a/nix/ext/tests/pg_safeupdate.nix +++ b/nix/ext/tests/pg_safeupdate.nix @@ -54,6 +54,12 @@ self.inputs.nixpkgs.lib.nixos.runTest { enable = true; package = (postgresqlWithExtension psql_15); settings = (installedExtension "15").defaultSettings or { }; + initialScript = pkgs.writeText "init-postgres" '' + CREATE ROLE authenticated NOLOGIN NOINHERIT; + GRANT USAGE ON SCHEMA public TO authenticated; + CREATE ROLE anon NOLOGIN NOINHERIT; + GRANT USAGE ON SCHEMA public TO anon; + ''; }; specialisation.postgresql17.configuration = { From d30d5c2dfd083b96b821d51823b0c8e9d7c95fff Mon Sep 17 00:00:00 2001 From: Chris Gwilliams <517923+encima@users.noreply.github.com> Date: Tue, 3 Feb 2026 15:10:15 +0200 Subject: [PATCH 4/4] fix: add libs to anon roles tests --- nix/tests/expected/roles.out | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nix/tests/expected/roles.out b/nix/tests/expected/roles.out index 0dba360cb..f7fe78d3d 100644 --- a/nix/tests/expected/roles.out +++ b/nix/tests/expected/roles.out @@ -62,7 +62,7 @@ where rolname not in ('pg_create_subscription', 'pg_maintain', 'pg_use_reserved_ order by rolname; rolname | rolconfig ----------------------------+--------------------------------------------------------------------------------- - anon | {statement_timeout=3s} + anon | {statement_timeout=3s,session_preload_libraries=safeupdate} authenticated | {statement_timeout=8s,session_preload_libraries=safeupdate} authenticator | {session_preload_libraries=safeupdate,statement_timeout=8s,lock_timeout=8s} dashboard_user |