Conversation
Implements PostgreSQL's FORCE ROW LEVEL SECURITY feature, which applies row-level security policies even to table owners and superusers. Changes: - Added RLSForced boolean field to IR Table struct - Updated database queries to fetch relforcerowsecurity from pg_class - Extended diff logic to track ENABLE and FORCE changes independently - Added SQL generation for FORCE/NO FORCE ROW LEVEL SECURITY statements - Created dedicated test case for FORCE RLS functionality - Updated fingerprints in existing policy tests to account for new IR field Test coverage: - New test: create_policy/force_rls - validates FORCE RLS detection and migration - All 9 policy integration tests passing - Both diff and plan/apply tests validated Fixes #214 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
Policy expressions (USING/WITH CHECK) now strip same-schema function qualifiers to prevent perpetual diffs. When a policy references a function in the same schema (e.g., tenant1.auth_uid()), the qualifier is normalized away to match PostgreSQL's storage behavior. Changes: - Update normalizePolicyExpression to accept tableSchema parameter - Add schema stripping logic matching normalizeDefaultValue pattern - Add test case with auth_uid() function and users_isolation policy 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR fixes issue #220 where policy expressions containing same-schema function calls caused perpetual diffs. When PostgreSQL stores RLS policies that reference functions in the same schema (e.g., tenant1.auth_uid()), it strips the schema qualifier as the function is in the search path. However, pgschema was not normalizing these qualifiers during comparison, leading to false positives in plan diffs.
Key changes:
- Updated
normalizePolicyandnormalizePolicyExpressionto accepttableSchemaparameter for context-aware normalization - Added same-schema function qualifier stripping logic matching the pattern established in
normalizeDefaultValue(from issue #218 fix) - Added comprehensive test case with
auth_uid()function andusers_isolationpolicy to validate the fix
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| ir/normalize.go | Updated normalizePolicy and normalizePolicyExpression to accept table schema parameter and strip same-schema function qualifiers from policy expressions using regex pattern matching |
| testdata/dump/tenant/tenant.sql | Added auth_uid() function and users_isolation RLS policy test case to reproduce and validate the fix for issue #220 |
| testdata/dump/tenant/pgschema.sql | Added expected output showing the policy with unqualified function call, ensuring normalized comparison works correctly |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
asonawalla
added a commit
to asonawalla/pgschema
that referenced
this pull request
Jan 4, 2026
Following the pattern established in PR pgplex#222 for function qualifiers, this extends policy expression normalization to also strip same-schema qualifiers from table references. When a policy expression contains a subquery like: FROM public.users u PostgreSQL's pg_get_expr() returns it without the schema qualifier: FROM users u This caused perpetual diffs because pgschema added the qualifier back. The fix applies the same normalization approach: strip schema qualifiers from table references when they match the target schema. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This was referenced Jan 4, 2026
tianzhou
pushed a commit
that referenced
this pull request
Jan 5, 2026
Following the pattern established in PR #222 for function qualifiers, this extends policy expression normalization to also strip same-schema qualifiers from table references. When a policy expression contains a subquery like: FROM public.users u PostgreSQL's pg_get_expr() returns it without the schema qualifier: FROM users u This caused perpetual diffs because pgschema added the qualifier back. The fix applies the same normalization approach: strip schema qualifiers from table references when they match the target schema. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
alecthomas
pushed a commit
to alecthomas/pgschema
that referenced
this pull request
Jan 26, 2026
* feat: add support for FORCE ROW LEVEL SECURITY Implements PostgreSQL's FORCE ROW LEVEL SECURITY feature, which applies row-level security policies even to table owners and superusers. Changes: - Added RLSForced boolean field to IR Table struct - Updated database queries to fetch relforcerowsecurity from pg_class - Extended diff logic to track ENABLE and FORCE changes independently - Added SQL generation for FORCE/NO FORCE ROW LEVEL SECURITY statements - Created dedicated test case for FORCE RLS functionality - Updated fingerprints in existing policy tests to account for new IR field Test coverage: - New test: create_policy/force_rls - validates FORCE RLS detection and migration - All 9 policy integration tests passing - Both diff and plan/apply tests validated Fixes pgplex#214 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * chore: regenerate plan * fix: normalize policy expression schema qualifiers (pgplex#220) Policy expressions (USING/WITH CHECK) now strip same-schema function qualifiers to prevent perpetual diffs. When a policy references a function in the same schema (e.g., tenant1.auth_uid()), the qualifier is normalized away to match PostgreSQL's storage behavior. Changes: - Update normalizePolicyExpression to accept tableSchema parameter - Add schema stripping logic matching normalizeDefaultValue pattern - Add test case with auth_uid() function and users_isolation policy 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude <noreply@anthropic.com>
alecthomas
pushed a commit
to alecthomas/pgschema
that referenced
this pull request
Jan 26, 2026
…gplex#226) Following the pattern established in PR pgplex#222 for function qualifiers, this extends policy expression normalization to also strip same-schema qualifiers from table references. When a policy expression contains a subquery like: FROM public.users u PostgreSQL's pg_get_expr() returns it without the schema qualifier: FROM users u This caused perpetual diffs because pgschema added the qualifier back. The fix applies the same normalization approach: strip schema qualifiers from table references when they match the target schema. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fix #220
Policy expressions (USING/WITH CHECK) now strip same-schema function
qualifiers to prevent perpetual diffs. When a policy references a
function in the same schema (e.g., tenant1.auth_uid()), the qualifier
is normalized away to match PostgreSQL's storage behavior.
Changes:
🤖 Generated with Claude Code