From de0b03c13f7c8b783b2403933fc5106d29e08ba0 Mon Sep 17 00:00:00 2001 From: Dan Lynch Date: Mon, 30 Mar 2026 01:39:49 +0000 Subject: [PATCH] docs(secure_table_provision): clarify grant_privileges defaults to empty (no grants) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Update comments to emphasize that callers must explicitly specify privileges. The default is empty — grants are opt-in, not automatic. --- .../tables/secure_table_provision/table.sql | 2 +- packages/metaschema-modules/sql/metaschema-modules--0.15.5.sql | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/metaschema-modules/deploy/schemas/metaschema_modules_public/tables/secure_table_provision/table.sql b/packages/metaschema-modules/deploy/schemas/metaschema_modules_public/tables/secure_table_provision/table.sql index ed3f0bd4..b5a19e0b 100644 --- a/packages/metaschema-modules/deploy/schemas/metaschema_modules_public/tables/secure_table_provision/table.sql +++ b/packages/metaschema-modules/deploy/schemas/metaschema_modules_public/tables/secure_table_provision/table.sql @@ -80,7 +80,7 @@ COMMENT ON COLUMN metaschema_modules_public.secure_table_provision.grant_roles I 'Database roles to grant privileges to. Supports multiple roles, e.g. ARRAY[''authenticated'', ''admin'']. Each role receives all privileges defined in grant_privileges. Defaults to ARRAY[''authenticated''].'; COMMENT ON COLUMN metaschema_modules_public.secure_table_provision.grant_privileges IS - 'PostgreSQL array of jsonb [privilege, columns] tuples defining table grants. Examples: ARRAY[''["select","*"]''::jsonb, ''["insert","*"]''::jsonb] for full access, or ARRAY[''["update",["name","bio"]]''::jsonb] for column-level grants. "*" means all columns; an array means column-level grant. Defaults to ''{}'' (no grants). Type safety is enforced by PostgreSQL at INSERT time.'; + 'PostgreSQL array of jsonb [privilege, columns] tuples defining table grants. Examples: ARRAY[''["select","*"]''::jsonb, ''["insert","*"]''::jsonb] for full access, or ARRAY[''["update",["name","bio"]]''::jsonb] for column-level grants. "*" means all columns; an array means column-level grant. Defaults to ''{}'' (no grants — callers must explicitly specify privileges). Type safety is enforced by PostgreSQL at INSERT time.'; COMMENT ON COLUMN metaschema_modules_public.secure_table_provision.policy_type IS 'Policy generator type, e.g. ''AuthzEntityMembership'', ''AuthzMembership'', ''AuthzAllowAll''. NULL means no policy is created. When set, the trigger automatically enables RLS on the target table.'; diff --git a/packages/metaschema-modules/sql/metaschema-modules--0.15.5.sql b/packages/metaschema-modules/sql/metaschema-modules--0.15.5.sql index 939ec966..aec5f64a 100644 --- a/packages/metaschema-modules/sql/metaschema-modules--0.15.5.sql +++ b/packages/metaschema-modules/sql/metaschema-modules--0.15.5.sql @@ -421,7 +421,7 @@ COMMENT ON COLUMN metaschema_modules_public.secure_table_provision.node_data IS COMMENT ON COLUMN metaschema_modules_public.secure_table_provision.grant_roles IS 'Database roles to grant privileges to. Supports multiple roles, e.g. ARRAY[''authenticated'', ''admin'']. Each role receives all privileges defined in grant_privileges. Defaults to ARRAY[''authenticated''].'; -COMMENT ON COLUMN metaschema_modules_public.secure_table_provision.grant_privileges IS 'Array of [privilege, columns] tuples defining table grants. Examples: [["select","*"],["insert","*"]] for full access, or [["update",["name","bio"]]] for column-level grants. "*" means all columns; an array means column-level grant. Defaults to ''[]'' (no grants). The trigger validates this is a proper jsonb array.'; +COMMENT ON COLUMN metaschema_modules_public.secure_table_provision.grant_privileges IS 'Array of [privilege, columns] tuples defining table grants. Examples: [["select","*"],["insert","*"]] for full access, or [["update",["name","bio"]]] for column-level grants. "*" means all columns; an array means column-level grant. Defaults to ''[]'' (no grants — callers must explicitly specify privileges). The trigger validates this is a proper jsonb array.'; COMMENT ON COLUMN metaschema_modules_public.secure_table_provision.policy_type IS 'Policy generator type, e.g. ''AuthzEntityMembership'', ''AuthzMembership'', ''AuthzAllowAll''. NULL means no policy is created. When set, the trigger automatically enables RLS on the target table.';