🛑 The Problem
Security is paramount. If we introduce multi-tenant support for private repositories, we must mathematically guarantee that User A cannot read User B's repositories. Relying solely on application-level logic (where userId = ?) is prone to human error. If an engineer forgets a where clause, we leak private corporate data.
💡 The Solution
Implement Row Level Security (RLS) directly inside the Postgres database.
🛠️ Implementation Details
- Write raw SQL migration files to enable RLS:
ALTER TABLE repositories ENABLE ROW LEVEL SECURITY;
- Create a policy:
CREATE POLICY tenant_isolation ON repositories FOR ALL USING (tenant_id = current_setting('app.current_tenant_id'));
- Update the Drizzle connection pool wrapper. Before executing any query, it must execute
set_config('app.current_tenant_id', '...', true) within the transaction block.
✅ Acceptance Criteria
Ready to tackle this? Comment .take below to get automatically assigned!
🛑 The Problem
Security is paramount. If we introduce multi-tenant support for private repositories, we must mathematically guarantee that User A cannot read User B's repositories. Relying solely on application-level logic (
where userId = ?) is prone to human error. If an engineer forgets awhereclause, we leak private corporate data.💡 The Solution
Implement Row Level Security (RLS) directly inside the Postgres database.
🛠️ Implementation Details
ALTER TABLE repositories ENABLE ROW LEVEL SECURITY;CREATE POLICY tenant_isolation ON repositories FOR ALL USING (tenant_id = current_setting('app.current_tenant_id'));set_config('app.current_tenant_id', '...', true)within the transaction block.✅ Acceptance Criteria
WHEREclause is omitted in Drizzle.Ready to tackle this? Comment
.takebelow to get automatically assigned!