fix: remove platform_steps and template_trees from Phase 4 RLS

Both tables have no account_id column — they are globally readable by all authenticated users and must not have RLS policies. Also removes the corresponding test cases that assumed these tables had account_id-based policies. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-12 01:48:50 +00:00
parent c6da4ebee5
commit f9248aeaa8
2 changed files with 7 additions and 82 deletions
--- a/backend/alembic/versions/b3c7e9f2a1d8_enable_rls_phase4.py
+++ b/backend/alembic/versions/b3c7e9f2a1d8_enable_rls_phase4.py
@@ -13,8 +13,8 @@ Skipped intentionally:
  - accounts            — IS the root table; no account_id column
  - plan_feature_defaults — platform config; no account_id column
  - script_categories   — global lookup table; no account_id column
-                          (ScriptTemplate in the same file has account_id,
-                          ScriptCategory does not)
+  - platform_steps      — global content; no account_id column (readable by all)
+  - template_trees      — global content; no account_id column (readable by all)

 Revision ID: b3c7e9f2a1d8
 Revises: 172ad76d7d20
@@ -29,8 +29,6 @@ down_revision: Union[str, None] = "172ad76d7d20"
 branch_labels = None
 depends_on = None

-PLATFORM_ACCOUNT_ID = "00000000-0000-0000-0000-000000000001"
-
 # Standard policy — tenant sees only own rows.
 _STANDARD_TABLES = [
    "users",
@@ -63,13 +61,6 @@ _STANDARD_TABLES = [
    "user_pinned_trees",
 ]

-# Platform-visibility policy — tenant sees own rows PLUS PLATFORM_ACCOUNT_ID rows.
-# These tables hold global content created by ResolutionFlow admins.
-_PLATFORM_TABLES = [
-    "platform_steps",
-    "template_trees",
-]
-
 _POLICY_EXPR = (
    "account_id = COALESCE("
    "NULLIF(current_setting('app.current_account_id', TRUE), ''), "
@@ -79,7 +70,6 @@ _POLICY_EXPR = (


 def upgrade() -> None:
-    # Standard tables — tenant isolation only
    for table in _STANDARD_TABLES:
        op.execute(f"ALTER TABLE {table} ENABLE ROW LEVEL SECURITY")
        op.execute(f"ALTER TABLE {table} FORCE ROW LEVEL SECURITY")
@@ -88,20 +78,8 @@ def upgrade() -> None:
            USING ({_POLICY_EXPR})
        """)

-    # Platform-visible tables — own rows OR global platform rows
-    for table in _PLATFORM_TABLES:
-        op.execute(f"ALTER TABLE {table} ENABLE ROW LEVEL SECURITY")
-        op.execute(f"ALTER TABLE {table} FORCE ROW LEVEL SECURITY")
-        op.execute(f"""
-            CREATE POLICY tenant_isolation ON {table}
-            USING (
-                {_POLICY_EXPR}
-                OR account_id = '{PLATFORM_ACCOUNT_ID}'::uuid
-            )
-        """)
-

 def downgrade() -> None:
-    for table in _STANDARD_TABLES + _PLATFORM_TABLES:
+    for table in _STANDARD_TABLES:
        op.execute(f"DROP POLICY IF EXISTS tenant_isolation ON {table}")
        op.execute(f"ALTER TABLE {table} DISABLE ROW LEVEL SECURITY")