Skip to content

Implement Postgres Row Level Security (RLS) via Drizzle #31

Description

@SHAURYASANYAL3

🛑 The Problem

Security is paramount. If we introduce multi-tenant support for private repositories, we must mathematically guarantee that User A cannot read User B's repositories. Relying solely on application-level logic (where userId = ?) is prone to human error. If an engineer forgets a where clause, we leak private corporate data.

💡 The Solution

Implement Row Level Security (RLS) directly inside the Postgres database.

🛠️ Implementation Details

  1. Write raw SQL migration files to enable RLS: ALTER TABLE repositories ENABLE ROW LEVEL SECURITY;
  2. Create a policy: CREATE POLICY tenant_isolation ON repositories FOR ALL USING (tenant_id = current_setting('app.current_tenant_id'));
  3. Update the Drizzle connection pool wrapper. Before executing any query, it must execute set_config('app.current_tenant_id', '...', true) within the transaction block.

✅ Acceptance Criteria

  • It is physically impossible for a query to return a row belonging to another user, even if the WHERE clause is omitted in Drizzle.
  • RLS policies are applied to all sensitive tables (commits, snapshots).

Ready to tackle this? Comment .take below to get automatically assigned!

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions