The SQL Editor was warning about missing RLS even when the same query
enabled it, if the user wrote `ALTER TABLE IF EXISTS ...`. The parser
regex didn't recognise `IF EXISTS` and was capturing `IF` as the table
name, so the RLS event never matched the `CREATE TABLE`.
**Changed:**
- `ALTER TABLE` regex in `sql-event-parser.ts` now accepts the optional
`IF EXISTS` and `ONLY` modifiers, matching Postgres's `ALTER TABLE [ IF
EXISTS ] [ ONLY ] name` grammar.
**Added:**
- Unit tests for `IF EXISTS`, `ONLY`, and both combined.
- Regression test in `SQLEditor.utils.test.ts` using the customer's
exact SQL.
## To test
1. Open the SQL Editor and paste:
```sql
CREATE TABLE IF NOT EXISTS public."Conversations" (id int8 primary key);
ALTER TABLE IF EXISTS public."Conversations" ENABLE ROW LEVEL SECURITY;
```
2. Hit Run – the "table will not have RLS" warning should **not**
appear.
3. Sanity check: a `CREATE TABLE` without any matching `ENABLE ROW LEVEL
SECURITY` still triggers the warning.
Addresses
[FE-3134](https://linear.app/supabase/issue/FE-3134/sql-editor-warns-about-missing-rls-policy-incorrectly).
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Tests**
* Added comprehensive test coverage for Row Level Security detection
across different SQL syntax patterns and clause combinations
* **Bug Fixes**
* Enhanced Row Level Security detection capabilities in the SQL editor
by extending support for additional ALTER TABLE statement syntax
variations, improving the accuracy and completeness of security
configuration recognition
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: Alaister Young <10985857+alaister@users.noreply.github.com>
Fixes a false positive in the CREATE-TABLE-without-RLS warning modal
added in #45008. The warning was firing on `CREATE FUNCTION` statements
because the `SELECT..INTO` detector was matching plpgsql variable
assignments inside `$$…$$` function bodies.
Reported example that triggered the modal with no table actually being
created:
```sql
create or replace function schema_checks()
returns jsonb
language plpgsql
as $$
declare
ret jsonb;
begin
select jsonb_build_object('value', 'ok') into ret;
return ret;
end;
$$;
```
**Changed:**
- `SQLEventParser.match()` now strips the body of `$tag$…$tag$` blocks
before running detectors. Tags are kept as markers; content is blanked
out so function bodies, DO blocks, and dollar-quoted string literals are
never scanned as DDL.
- Updated a pre-existing parser test that asserted the buggy behaviour
(it expected `CREATE TABLE fake` inside a `$$…$$` string literal to be
detected — `$$…$$` is a string literal in Postgres, not DDL).
**Added:**
- Regression tests in `SQLEditor.utils.test.ts` covering: the exact
reported function, DO blocks with `select into`, `create table` text
inside a function body, mixed top-level `CREATE TABLE` + function with
`INTO` assignments, and custom `$body$…$body$` tags.
- Parser-level regression test in `sql-event-parser.test.ts`.
## To test
- In the SQL editor, paste the function from the Slack report and run it
— the RLS warning modal should not appear.
- Run `create table foo (id int8 primary key);` on its own — modal still
appears as before.
- Run `create table foo (id int8); create or replace function bar()
returns int language plpgsql as $$ declare v int; begin select 1 into v;
return v; end; $$;` — modal should flag only `foo`, not `v`.
- Run an existing destructive query (`drop table x`) — unaffected, modal
still works.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Parser no longer treats DDL/DML-like text inside PL/pgSQL functions,
DO blocks, or dollar-quoted bodies (including nested/custom tags) as
top-level CREATE TABLE/SELECT INTO, preventing false detections and UI
warnings.
* **Tests**
* Added unit and e2e regression tests covering dollar-quoted blocks,
nested dollar tags, DO blocks, SELECT INTO inside functions, and
positive controls with a real top-level CREATE TABLE.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Alaister Young <10985857+alaister@users.noreply.github.com>
Adds a pre-execution warning in the SQL editor when a `CREATE TABLE`
statement is run without enabling Row Level Security on the new table.
Responds to the press call-out around SQL editor security.
<img width="708" height="498" alt="Screenshot 2026-04-18 at 4 31 07 PM"
src="https://github.com/user-attachments/assets/4f23ed5e-f32c-46f0-b0da-ac6d4c661c7c"
/>
**Added:**
- Pre-execution check in `executeQuery` that detects `CREATE TABLE`
statements without a matching `ALTER TABLE ... ENABLE ROW LEVEL
SECURITY` in the same submitted SQL.
- New "Run and enable RLS" action in the warning modal that rewrites the
SQL to append `ALTER TABLE [schema.]<table> ENABLE ROW LEVEL SECURITY;`
for each detected table before running.
- Link in the modal to the RLS docs.
**Changed:**
- `RunQueryWarningModal` now renders `Dialog` directly (instead of
`ConfirmationModal`) so it can show three buttons: Cancel / Run without
RLS / Run and enable RLS.
- `sqlEventParser` table-name regex now supports quoted identifiers
containing spaces (e.g. `"My Table"`) and escaped quotes (e.g.
`"user""table"`).
The check runs against the SQL that's actually submitted, so
partial-selection works correctly — selecting only the `CREATE TABLE`
portion will trigger the warning even if there's a matching `ENABLE RLS`
lower in the editor.
## To test
- Open the SQL editor and run `create table foo (id int8 primary key);`
→ modal should appear with the RLS warning bullet and three buttons.
- Click **Run and enable RLS** → query runs, table is created with RLS
enabled.
- Click **Run without RLS** → query runs as written, no RLS.
- Run `create table foo (id int8); alter table foo enable row level
security;` → no modal (RLS already enabled in same submission).
- Run `create table public.bar (id int8); create table baz (id int8);
alter table baz enable rls;` → modal flags only `public.bar`.
- Select only the `create table` portion of a snippet that also enables
RLS lower down and run the selection → modal should still fire.
- Run an existing destructive query (`drop table x`) → modal still works
as before with two buttons (Cancel / Run this query).
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* SQL editor now detects CREATE TABLE statements missing Row Level
Security (RLS) and shows counts and dynamic table/schema details in a
redesigned warning dialog with updated pluralization and a “Learn more”
link.
* New actions: “Run without RLS” and, when available, “Run and enable
RLS” which applies RLS and runs the query; editor can execute an
overridden SQL payload when applying RLS changes.
* **Tests**
* Added comprehensive unit and e2e tests covering RLS detection, SQL
augmentation, trigger handling, identifier parsing, and the “Run and
enable RLS” flow.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Alaister Young <10985857+alaister@users.noreply.github.com>
Add telemetry tracking for activation-related table operations
- Implement SQL event parser to detect table creation, data insertion, and RLS enablement
- Add telemetry tracking for these operations in table editor as well
- Add test coverage for SQL event parser
Alaister Young