Problem
The festival-assets storage bucket has two conflicting sets of RLS policies on storage.objects:
supabase/migrations/20250811140000_add_festival_logo.sql creates INSERT/UPDATE/DELETE policies gated only on auth.role() = 'authenticated' (any logged-in user can write to the festival-logos folder).supabase/migrations/20250827000000_add_festival_edition_metadata.sql later adds INSERT/UPDATE/DELETE policies gated on is_admin(auth.uid()).
Postgres combines permissive RLS policies with OR. The policy names differ, so both sets coexist — and a non-admin authenticated user still satisfies the earlier permissive policy. The intended admin-only restriction is effectively bypassed: any authenticated user can upload/update/delete festival logo assets.
Suggested fix
Add a migration that DROPs the three permissive write policies from 20250811140000_add_festival_logo.sql:
"Allow authenticated users to upload festival logos""Allow users to update their festival logos""Allow users to delete festival logos"
Keep the public-read policy (it matches the later "Anyone can view festival assets"). Also prefer role scoping (TO authenticated) + admin checks over auth.role() going forward.
Context
Flagged by Copilot review on PR #34. Pre-existing issue, not introduced by that PR — tracking separately since it is a security change rather than a db-sync change.
Problem
The
festival-assetsstorage bucket has two conflicting sets of RLS policies onstorage.objects:supabase/migrations/20250811140000_add_festival_logo.sqlcreates INSERT/UPDATE/DELETE policies gated only onauth.role() = 'authenticated'(any logged-in user can write to thefestival-logosfolder).supabase/migrations/20250827000000_add_festival_edition_metadata.sqllater adds INSERT/UPDATE/DELETE policies gated onis_admin(auth.uid()).Postgres combines permissive RLS policies with OR. The policy names differ, so both sets coexist — and a non-admin authenticated user still satisfies the earlier permissive policy. The intended admin-only restriction is effectively bypassed: any authenticated user can upload/update/delete festival logo assets.
Suggested fix
Add a migration that
DROPs the three permissive write policies from20250811140000_add_festival_logo.sql:"Allow authenticated users to upload festival logos""Allow users to update their festival logos""Allow users to delete festival logos"Keep the public-read policy (it matches the later
"Anyone can view festival assets"). Also prefer role scoping (TO authenticated) + admin checks overauth.role()going forward.Context
Flagged by Copilot review on PR #34. Pre-existing issue, not introduced by that PR — tracking separately since it is a security change rather than a db-sync change.