forked from usebasejump/supabase-test-helpers
-
Notifications
You must be signed in to change notification settings - Fork 0
/
04-blog-example.sql
161 lines (134 loc) · 3.85 KB
/
04-blog-example.sql
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
BEGIN;
CREATE EXTENSION supabase_test_helpers;
select plan(12);
-- create a posts table that references the auth.users table
create table public.posts
(
-- post id
id uuid primary key default uuid_generate_v4(),
-- the user's ID from the auth.users table out of supabase
user_id uuid references auth.users not null default auth.uid(),
-- post content
content text
);
-- won't be protected by default
select check_test(tests.rls_enabled('public', 'posts'), false);
-- Setup RLS on the posts table
ALTER TABLE public.posts ENABLE ROW LEVEL SECURITY;
create policy "All users can view their own posts" on public.posts
for select
to authenticated
using (
true
);
create policy "Users can create their own posts" on public.posts
for insert
to authenticated
with check (
user_id = auth.uid()
);
create policy "Users can update their own posts" on public.posts
for update
to authenticated
using (
user_id = auth.uid()
);
create policy "Users can delete their own posts" on public.posts
for delete
to authenticated
using (
user_id = auth.uid()
);
-- RLS should be enabled now with policies in place
-- Let's give it a test!
select tests.create_supabase_user('post_owner');
select tests.create_supabase_user('post_viewer');
-----------
-- Acting as post_owner
-----------
select tests.authenticate_as('post_owner');
-- insert a post
SELECT
results_eq(
$$ insert into public.posts (content) values ('Post created') returning user_id $$,
$$ VALUES(tests.get_supabase_uid('post_owner')) $$,
'authenticated users can insert a post'
);
-- owner can view their own posts
SELECT
results_eq(
$$ select content from posts limit 1 $$,
$$ VALUES('Post created') $$,
'Post owners can view their own posts'
);
-- owner can update the post
SELECT
results_eq(
$$ update posts set content = 'Post updated' returning content $$,
$$ VALUES('Post updated') $$,
'Post owners can update their own posts'
);
----------
-- Acting as post_viewer
----------
SELECT tests.authenticate_as('post_viewer');
-- post viewer cannot update the post
SELECT
is_empty(
$$ update posts set content = 'Post updated by viewer' returning content $$,
'Post viewers cannot update posts'
);
-- post viewer cannot delete the post
SELECT
is_empty(
$$ delete from posts returning 1 $$,
'Post viewers cannot delete posts'
);
-- post viewer can view the post
SELECT
results_eq(
$$ select content from posts limit 1 $$,
$$ VALUES('Post updated') $$,
'Post owners can view their own posts'
);
---------
-- Acting as anon
---------
SELECT tests.clear_authentication();
-- anon cannot view the post
SELECT
is_empty(
$$ select * from posts $$,
'Anon cannot view posts'
);
-- anon cannot update the post
SELECT
is_empty(
$$ update posts set content = 'Post updated by viewer' returning content $$,
'Anon cannot update posts'
);
-- anon cannot delete the post
SELECT
is_empty(
$$ delete from posts returning 1 $$,
'Anon cannot delete posts'
);
-- anon cannot insert new posts
SELECT
throws_ok(
$$ insert into posts (content) values ('Post created by anon') $$,
'new row violates row-level security policy for table "posts"'
);
--------
-- Acting as post_owner
--------
SELECT tests.authenticate_as('post_owner');
-- post owner can delete the post
SELECT
results_eq(
$$ delete from posts returning 1 $$,
$$ VALUES(1) $$,
'Post owners can delete their own posts'
);
select * from finish();
ROLLBACK;