Skip to content

fix(jobs,database-jobs): grant authenticated EXECUTE on add_job#77

Merged
pyramation merged 1 commit into
mainfrom
feat/grant-authenticated-execute-add-job
Jun 4, 2026
Merged

fix(jobs,database-jobs): grant authenticated EXECUTE on add_job#77
pyramation merged 1 commit into
mainfrom
feat/grant-authenticated-execute-add-job

Conversation

@pyramation
Copy link
Copy Markdown
Contributor

@pyramation pyramation commented Jun 4, 2026

Summary

Upstream the GRANT pattern from constructive-db#1496 so that SECURITY INVOKER trigger functions can call app_jobs.add_job() without requiring the entire trigger body to be SECURITY DEFINER.

Two changes per package (packages/jobs and packages/database-jobs):

  1. schema.sql adds GRANT USAGE ON SCHEMA app_jobs TO authenticated
  2. New deploy/revert/verify triple: GRANT EXECUTE ON FUNCTION app_jobs.add_job(...) TO authenticated

This lets triggers stay INVOKER (respecting RLS for entity lookups, org resolution, future cloud function validation) while only add_job itself escalates (it's already SECURITY DEFINER).

Also syncs sql/ output with current package.json versions via pgpm packagepgpm-jobs control was stuck at 0.15.5 while package.json was 0.26.0.

Refs: constructive-planning#998

Link to Devin session: https://app.devin.ai/sessions/2d4e3ceffc994b2486b4a9b010e14642
Requested by: @pyramation

@pyramation
fix(jobs,database-jobs): grant authenticated EXECUTE on add_job
3f8d90a 
Adds narrow GRANT pattern so that SECURITY INVOKER trigger functions can
call app_jobs.add_job() without requiring the entire trigger body to be
SECURITY DEFINER:

- GRANT USAGE ON SCHEMA app_jobs TO authenticated
- GRANT EXECUTE ON FUNCTION app_jobs.add_job(...) TO authenticated

This allows job-enqueue triggers to respect RLS and role context for
all operations except the actual job enqueue, which is already
SECURITY DEFINER.

Changes for both packages/jobs (7-param signature) and
packages/database-jobs (10-param signature with entity_id,
organization_id, entity_type).

Also syncs sql/ output with current package.json versions via
pgpm package.

Refs: constructive-db#1496, constructive-planning#998
@devin-ai-integration
Copy link
Copy Markdown

devin-ai-integration Bot commented Jun 4, 2026

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment, CI, and merge conflict monitoring

@socket-security
Copy link
Copy Markdown

socket-security Bot commented Jun 4, 2026

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addedjest@​30.2.01001006996100
Addedjest-in-case@​1.0.2991009975100
Addedlerna@​8.2.4941008487100

View full report

@pyramation pyramation merged commit 3ecc43d into main Jun 4, 2026
24 checks passed
@pyramation pyramation deleted the feat/grant-authenticated-execute-add-job branch June 4, 2026 06:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@pyramation pyramation

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@pyramation