Fix data table creds setup (#7516)

diegoimbert · web-flow · commit 710987a42267 · 2026-01-08T06:25:59.000Z
* fix wrong pg_creds

* revoke permissions
diff --git a/backend/migrations/20260107133344_fix_custom_user_instance.down.sql b/backend/migrations/20260107133344_fix_custom_user_instance.down.sql
@@ -0,0 +1 @@
+-- Add down migration script here
diff --git a/backend/migrations/20260107133344_fix_custom_user_instance.up.sql b/backend/migrations/20260107133344_fix_custom_user_instance.up.sql
@@ -0,0 +1,14 @@
+-- Revoke default privileges first
+ALTER DEFAULT PRIVILEGES IN SCHEMA public
+    REVOKE SELECT, INSERT, UPDATE, DELETE ON TABLES FROM custom_instance_user;
+REVOKE CREATE ON SCHEMA public FROM custom_instance_user;
+REVOKE USAGE ON SCHEMA public FROM custom_instance_user;
+
+DO $$
+DECLARE
+    dbname text := current_database();
+BEGIN
+    EXECUTE format('REVOKE CREATE ON DATABASE %I FROM custom_instance_user', dbname);
+    EXECUTE format('REVOKE CONNECT ON DATABASE %I FROM custom_instance_user', dbname);
+END $$;
+
diff --git a/backend/windmill-api/src/settings.rs b/backend/windmill-api/src/settings.rs
@@ -703,7 +703,7 @@ async fn setup_custom_instance_pg_database_inner(
 ) -> Result<()> {
     require_super_admin(db, &authed.email).await?;
     logs.super_admin = "OK".to_string();
-    let pg_creds = PgDatabase::parse_uri(&get_database_url().await?.as_str().await)?;
+    let wmill_pg_creds = PgDatabase::parse_uri(&get_database_url().await?.as_str().await)?;
     logs.database_credentials = "OK".to_string();
 
     // Validate name to ensure it only contains alphanumeric characters
@@ -716,7 +716,7 @@ async fn setup_custom_instance_pg_database_inner(
             "Catalog name must be alphanumeric, underscores allowed".to_string(),
         ));
     }
-    if pg_creds.dbname.trim().eq_ignore_ascii_case(dbname.trim()) {
+    if wmill_pg_creds.dbname.trim().eq_ignore_ascii_case(dbname.trim()) {
         return Err(error::Error::BadRequest(
             "Database name cannot be the same as the main database".to_string(),
         ));
@@ -731,6 +731,11 @@ async fn setup_custom_instance_pg_database_inner(
     .await?
     .unwrap_or(false);
 
+    let pg_creds = PgDatabase {
+        dbname: dbname.to_string(),
+        ..wmill_pg_creds
+    };
+
     logs.created_database = "SKIP".to_string();
     if !db_exists {
         sqlx::query(&format!("CREATE DATABASE \"{dbname}\""))
