fix: only use MAINTAIN for table privileges if PG17+ (supabase#30998)

* chore: use @supabase/pg-meta for table privileges queries

* fix: only use MAINTAIN for table privileges if PG17+

* chore: run prettier

Author: soedirgo

apps/studio/components/interfaces/Database/Privileges/Privileges.utils.ts

@@ -15,7 +15,7 @@ import {
   TablePrivilegesGrant,
   grantTablePrivileges,
 } from 'data/privileges/table-privileges-grant-mutation'
-import type { TablePrivilege } from 'data/privileges/table-privileges-query'
+import type { PgTablePrivileges } from 'data/privileges/table-privileges-query'
 import {
   TablePrivilegesRevoke,
   revokeTablePrivileges,
@@ -35,7 +35,7 @@ export interface PrivilegeOperation {
   privilege_type: string
 }
 
-export function getDefaultTableCheckedStates(tablePrivilege: TablePrivilege) {
+export function getDefaultTableCheckedStates(tablePrivilege: PgTablePrivileges) {
   return Object.fromEntries(
     ALL_PRIVILEGE_TYPES.map((privilege) => [
       privilege,
@@ -286,16 +286,16 @@ export function useApplyPrivilegeOperations(callback?: () => void) {
       const grantTableOperations = tableOperations
         .filter((op) => op.type === 'grant')
         .map((op) => ({
-          relation_id: Number(op.id),
+          relationId: Number(op.id),
           grantee: op.grantee,
-          privilege_type: op.privilege_type as TablePrivilegesGrant['privilege_type'],
+          privilegeType: op.privilege_type as TablePrivilegesGrant['privilegeType'],
         }))
       const revokeTableOperations = tableOperations
         .filter((op) => op.type === 'revoke')
         .map((op) => ({
-          relation_id: Number(op.id),
+          relationId: Number(op.id),
           grantee: op.grantee,
-          privilege_type: op.privilege_type as TablePrivilegesRevoke['privilege_type'],
+          privilegeType: op.privilege_type as TablePrivilegesRevoke['privilegeType'],
         }))
 
       const grantColumnOperations = columnOperations

apps/studio/components/interfaces/Integrations/Queues/SingleQueue/QueueSettings.tsx

@@ -147,8 +147,8 @@ export const QueueSettings = ({}: QueueSettingsProps) => {
                 connectionString: project.connectionString,
                 revokes: revoke.map((x) => ({
                   grantee: x.role,
-                  privilege_type: x.action.toUpperCase(),
-                  relation_id: queueTable.id,
+                  privilegeType: x.action.toUpperCase(),
+                  relationId: queueTable.id,
                 })) as TablePrivilegesRevoke[],
               }),
             ]
@@ -162,13 +162,13 @@ export const QueueSettings = ({}: QueueSettingsProps) => {
                 revokes: [
                   ...rolesNoLongerHavingPerms.map((x) => ({
                     grantee: x,
-                    privilege_type: 'INSERT' as 'INSERT',
-                    relation_id: archiveTable.id,
+                    privilegeType: 'INSERT' as const,
+                    relationId: archiveTable.id,
                   })),
                   ...rolesNoLongerHavingPerms.map((x) => ({
                     grantee: x,
-                    privilege_type: 'SELECT' as 'SELECT',
-                    relation_id: archiveTable.id,
+                    privilegeType: 'SELECT' as const,
+                    relationId: archiveTable.id,
                   })),
                 ],
               }),
@@ -181,8 +181,8 @@ export const QueueSettings = ({}: QueueSettingsProps) => {
                 connectionString: project.connectionString,
                 grants: grant.map((x) => ({
                   grantee: x.role,
-                  privilege_type: x.action.toUpperCase(),
-                  relation_id: queueTable.id,
+                  privilegeType: x.action.toUpperCase(),
+                  relationId: queueTable.id,
                 })) as TablePrivilegesGrant[],
               }),
               // Just grant select + insert on archive table as long as we're granting any perms to the queue table for the role
@@ -192,13 +192,13 @@ export const QueueSettings = ({}: QueueSettingsProps) => {
                 grants: [
                   ...rolesBeingGrantedPerms.map((x) => ({
                     grantee: x,
-                    privilege_type: 'INSERT' as 'INSERT',
-                    relation_id: archiveTable.id,
+                    privilegeType: 'INSERT' as const,
+                    relationId: archiveTable.id,
                   })),
                   ...rolesBeingGrantedPerms.map((x) => ({
                     grantee: x,
-                    privilege_type: 'SELECT' as 'SELECT',
-                    relation_id: archiveTable.id,
+                    privilegeType: 'SELECT' as const,
+                    relationId: archiveTable.id,
                   })),
                 ],
               }),

apps/studio/data/privileges/table-privileges-grant-mutation.ts

@@ -1,12 +1,17 @@
+import pgMeta from '@supabase/pg-meta'
 import { useMutation, UseMutationOptions, useQueryClient } from '@tanstack/react-query'
 import { toast } from 'sonner'
 
-import type { components } from 'data/api'
-import { handleError, post } from 'data/fetchers'
+import { executeSql } from 'data/sql/execute-sql-query'
 import type { ResponseError } from 'types'
+import { invalidateTablePrivilegesQuery } from './table-privileges-query'
 import { privilegeKeys } from './keys'
 
-export type TablePrivilegesGrant = components['schemas']['GrantTablePrivilegesBody']
+export type TablePrivilegesGrant = Parameters<
+  typeof pgMeta.tablePrivileges.grant
+>[0] extends (infer T)[]
+  ? T
+  : never
 
 export type TablePrivilegesGrantVariables = {
   projectRef: string
@@ -19,21 +24,14 @@ export async function grantTablePrivileges({
   connectionString,
   grants,
 }: TablePrivilegesGrantVariables) {
-  const headers = new Headers()
-  if (connectionString) headers.set('x-connection-encrypted', connectionString)
-
-  const { data, error } = await post('/platform/pg-meta/{ref}/table-privileges', {
-    params: {
-      path: { ref: projectRef },
-      // this is needed to satisfy the typescript, but it doesn't pass the actual header
-      header: { 'x-connection-encrypted': connectionString! },
-    },
-    body: grants,
-    headers,
+  const sql = pgMeta.tablePrivileges.grant(grants).sql
+  const { result } = await executeSql({
+    projectRef,
+    connectionString,
+    sql,
+    queryKey: ['table-privileges', 'grant'],
   })
-
-  if (error) handleError(error)
-  return data
+  return result
 }
 
 type TablePrivilegesGrantData = Awaited<ReturnType<typeof grantTablePrivileges>>
@@ -55,7 +53,7 @@ export const useTablePrivilegesGrantMutation = ({
         const { projectRef } = variables
 
         await Promise.all([
-          queryClient.invalidateQueries(privilegeKeys.tablePrivilegesList(projectRef)),
+          invalidateTablePrivilegesQuery(queryClient, projectRef),
           queryClient.invalidateQueries(privilegeKeys.columnPrivilegesList(projectRef)),
         ])
 

apps/studio/data/privileges/table-privileges-query.ts

@@ -1,43 +1,39 @@
-import { UseQueryOptions, useQuery } from '@tanstack/react-query'
+import pgMeta from '@supabase/pg-meta'
+import { QueryClient, UseQueryOptions, useQuery } from '@tanstack/react-query'
+import { z } from 'zod'
 
-import type { components } from 'data/api'
-import { get, handleError } from 'data/fetchers'
-import type { ResponseError } from 'types'
+import { executeSql, ExecuteSqlError } from 'data/sql/execute-sql-query'
 import { privilegeKeys } from './keys'
 
 export type TablePrivilegesVariables = {
   projectRef?: string
   connectionString?: string
 }
 
-export type TablePrivilege = components['schemas']['PostgresTablePrivileges']
+export type PgTablePrivileges = z.infer<typeof pgMeta.tablePrivileges.zod>
 
-export async function getTablePrivileges(
+const pgMetaTablePrivilegesList = pgMeta.tablePrivileges.list()
+
+export type TablePrivilegesData = z.infer<typeof pgMetaTablePrivilegesList.zod>
+export type TablePrivilegesError = ExecuteSqlError
+
+async function getTablePrivileges(
   { projectRef, connectionString }: TablePrivilegesVariables,
   signal?: AbortSignal
 ) {
-  if (!projectRef) throw new Error('projectRef is required')
-
-  const headers = new Headers()
-  if (connectionString) headers.set('x-connection-encrypted', connectionString)
-
-  const { data, error } = await get('/platform/pg-meta/{ref}/table-privileges', {
-    params: {
-      path: { ref: projectRef },
-      // this is needed to satisfy the typescript, but it doesn't pass the actual header
-      header: { 'x-connection-encrypted': connectionString! },
+  const { result } = await executeSql(
+    {
+      projectRef,
+      connectionString,
+      sql: pgMetaTablePrivilegesList.sql,
+      queryKey: ['table-privileges'],
     },
-    signal,
-    headers,
-  })
+    signal
+  )
 
-  if (error) throw handleError(error)
-  return data
+  return result as TablePrivilegesData
 }
 
-export type TablePrivilegesData = Awaited<ReturnType<typeof getTablePrivileges>>
-export type TablePrivilegesError = ResponseError
-
 export const useTablePrivilegesQuery = <TData = TablePrivilegesData>(
   { projectRef, connectionString }: TablePrivilegesVariables,
   {
@@ -53,3 +49,10 @@ export const useTablePrivilegesQuery = <TData = TablePrivilegesData>(
       ...options,
     }
   )
+
+export function invalidateTablePrivilegesQuery(
+  client: QueryClient,
+  projectRef: string | undefined
+) {
+  return client.invalidateQueries(privilegeKeys.tablePrivilegesList(projectRef))
+}

apps/studio/data/privileges/table-privileges-revoke-mutation.ts

@@ -1,12 +1,17 @@
+import pgMeta from '@supabase/pg-meta'
 import { useMutation, UseMutationOptions, useQueryClient } from '@tanstack/react-query'
 import { toast } from 'sonner'
 
-import type { components } from 'data/api'
-import { del, handleError } from 'data/fetchers'
+import { executeSql } from 'data/sql/execute-sql-query'
 import type { ResponseError } from 'types'
+import { invalidateTablePrivilegesQuery } from './table-privileges-query'
 import { privilegeKeys } from './keys'
 
-export type TablePrivilegesRevoke = components['schemas']['RevokeTablePrivilegesBody']
+export type TablePrivilegesRevoke = Parameters<
+  typeof pgMeta.tablePrivileges.revoke
+>[0] extends (infer T)[]
+  ? T
+  : never
 
 export type TablePrivilegesRevokeVariables = {
   projectRef: string
@@ -19,21 +24,14 @@ export async function revokeTablePrivileges({
   connectionString,
   revokes,
 }: TablePrivilegesRevokeVariables) {
-  const headers = new Headers()
-  if (connectionString) headers.set('x-connection-encrypted', connectionString)
-
-  const { data, error } = await del('/platform/pg-meta/{ref}/table-privileges', {
-    params: {
-      path: { ref: projectRef },
-      // this is needed to satisfy the typescript, but it doesn't pass the actual header
-      header: { 'x-connection-encrypted': connectionString! },
-    },
-    body: revokes,
-    headers,
+  const sql = pgMeta.tablePrivileges.revoke(revokes).sql
+  const { result } = await executeSql({
+    projectRef,
+    connectionString,
+    sql,
+    queryKey: ['table-privileges', 'revoke'],
   })
-
-  if (error) handleError(error)
-  return data
+  return result
 }
 
 type TablePrivilegesRevokeData = Awaited<ReturnType<typeof revokeTablePrivileges>>
@@ -55,7 +53,7 @@ export const useTablePrivilegesRevokeMutation = ({
         const { projectRef } = variables
 
         await Promise.all([
-          queryClient.invalidateQueries(privilegeKeys.tablePrivilegesList(projectRef)),
+          invalidateTablePrivilegesQuery(queryClient, projectRef),
           queryClient.invalidateQueries(privilegeKeys.columnPrivilegesList(projectRef)),
         ])
 

apps/studio/pages/api/pg-meta/[ref]/table-privileges.ts

@@ -1,9 +1,11 @@
 import roles from './pg-meta-roles'
 import schemas from './pg-meta-schemas'
 import * as functions from './pg-meta-functions'
+import tablePrivileges from './pg-meta-table-privileges'
 
 export default {
   roles,
   schemas,
   functions,
+  tablePrivileges,
 }