From b655bfc2084be500cdaac2b68801008a274d9b1f Mon Sep 17 00:00:00 2001 From: Oscar Hong Date: Fri, 3 Jul 2026 13:03:05 +0800 Subject: [PATCH] Grant service_role write access to usage-submit tables MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The service client (POST /api/usage/submit) writes daily_usage, device_usage, and posts, but those tables were only GRANTed to `authenticated` — service_role relied on Postgres default privileges. Newer local Supabase images enforce table GRANTs for service_role, so a freshly-booted `supabase start` stack returns 'permission denied for table device_usage', failing the real-Supabase integration test on every PR. Hosted Supabase already has these grants, so this is a no-op there. Co-Authored-By: Claude Opus 4.8 --- ...0703000000_grant_service_role_usage_tables.sql | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 supabase/migrations/20260703000000_grant_service_role_usage_tables.sql diff --git a/supabase/migrations/20260703000000_grant_service_role_usage_tables.sql b/supabase/migrations/20260703000000_grant_service_role_usage_tables.sql new file mode 100644 index 0000000..8017280 --- /dev/null +++ b/supabase/migrations/20260703000000_grant_service_role_usage_tables.sql @@ -0,0 +1,15 @@ +-- Grant the server-side service role explicit write access to the tables that +-- POST /api/usage/submit writes through the service client. +-- +-- These tables (daily_usage, device_usage, posts) were only ever GRANTed to +-- `authenticated`; service_role's access relied on Postgres default +-- privileges. Newer local Supabase images enforce table-level GRANTs for +-- service_role instead of falling back to those defaults, so the usage-submit +-- route started returning `permission denied for table device_usage` (500) +-- against a freshly-booted `supabase start` stack — breaking the real-Supabase +-- integration test. In hosted Supabase service_role already holds these +-- privileges, so these statements are idempotent no-ops there. + +GRANT SELECT, INSERT, UPDATE ON public.daily_usage TO service_role; +GRANT SELECT, INSERT, UPDATE ON public.device_usage TO service_role; +GRANT SELECT, INSERT, UPDATE, DELETE ON public.posts TO service_role;