fix: default API-exposure lints to public schema when pgrst.db_schemas is unset#168
Merged
utkarash2991 merged 1 commit intoJun 17, 2026
Merged
Conversation
…s is unset
The API-exposure lints filter on the schemas listed in the `pgrst.db_schemas`
setting. When that GUC is unset — e.g. running splinter.sql directly via psql —
current_setting('pgrst.db_schemas','t') returns NULL, the schema array resolves
to empty, and the lints silently return 0 rows instead of surfacing real
exposures.
Wrap the setting in coalesce(..., 'public') so an unset GUC defaults to the
`public` schema (PostgREST's default). An explicitly empty value ('') still
means "expose nothing" and is left unchanged, preserving the existing
0017_foreign_table_in_api contract.
Adds a regression test (0013) covering the unset-GUC path and documents the
behaviour in the README.
PSQL-1309
b17fb17 to
981d96e
Compare
samrose
approved these changes
Jun 16, 2026
samrose
left a comment
Contributor
There was a problem hiding this comment.
No issues found in PR #168 from a security or regression standpoint.
I reviewed the diff, checked all pgrst.db_schemas call sites, verified splinter.sql is in sync by rerunning bin/compile.py, and ran the Docker
regression suite on the PR branch. Result: all 28 tests passed, and splinter.sql loaded successfully afterward.
The change looks reasonable: absent pgrst.db_schemas now defaults to public, while an explicitly empty setting still means no exposed schemas.
That preserves the existing empty-setting behavior and fixes the plain-psql false negative case.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem (PSQL-1309)
The API-exposure lints (
auth_users_exposed,materialized_view_in_api,foreign_table_in_api, etc.) only report objects in schemas listed in thepgrst.db_schemassetting. PostgREST sets that GUC at runtime, but it is not present in a plainpsqlconnection.When
pgrst.db_schemasis unset,current_setting('pgrst.db_schemas','t')returnsNULL→ the schema array resolves to empty →n.nspname = any('{}')is always false → the lints silently return 0 rows instead of surfacing real exposures. This bites anyone runningsplinter.sqldirectly as a workaround.Fix
Wrap the setting:
NULL) → defaults to thepublicschema (PostgREST's default). ✅ fixes the bug'') → left unchanged;''means "expose nothing" so the lint correctly reports nothing. This preserves the existing0017_foreign_table_in_apicontract (set local pgrst.db_schemas = ''→ 0 rows).Applied to all 9 affected lints;
splinter.sqlrecompiled viabin/compile.py.Tests
Added a regression block for the unset-GUC path to
0013_rls_disabled_in_publicDocs
README Usage section now documents that only
publicis checked when the GUC is unset, and how toset pgrst.db_schemasfor other exposed schemas.