Fixes a false positive in the CREATE-TABLE-without-RLS warning modal
added in #45008. The warning was firing on `CREATE FUNCTION` statements
because the `SELECT..INTO` detector was matching plpgsql variable
assignments inside `$$…$$` function bodies.
Reported example that triggered the modal with no table actually being
created:
```sql
create or replace function schema_checks()
returns jsonb
language plpgsql
as $$
declare
ret jsonb;
begin
select jsonb_build_object('value', 'ok') into ret;
return ret;
end;
$$;
```
**Changed:**
- `SQLEventParser.match()` now strips the body of `$tag$…$tag$` blocks
before running detectors. Tags are kept as markers; content is blanked
out so function bodies, DO blocks, and dollar-quoted string literals are
never scanned as DDL.
- Updated a pre-existing parser test that asserted the buggy behaviour
(it expected `CREATE TABLE fake` inside a `$$…$$` string literal to be
detected — `$$…$$` is a string literal in Postgres, not DDL).
**Added:**
- Regression tests in `SQLEditor.utils.test.ts` covering: the exact
reported function, DO blocks with `select into`, `create table` text
inside a function body, mixed top-level `CREATE TABLE` + function with
`INTO` assignments, and custom `$body$…$body$` tags.
- Parser-level regression test in `sql-event-parser.test.ts`.
## To test
- In the SQL editor, paste the function from the Slack report and run it
— the RLS warning modal should not appear.
- Run `create table foo (id int8 primary key);` on its own — modal still
appears as before.
- Run `create table foo (id int8); create or replace function bar()
returns int language plpgsql as $$ declare v int; begin select 1 into v;
return v; end; $$;` — modal should flag only `foo`, not `v`.
- Run an existing destructive query (`drop table x`) — unaffected, modal
still works.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Parser no longer treats DDL/DML-like text inside PL/pgSQL functions,
DO blocks, or dollar-quoted bodies (including nested/custom tags) as
top-level CREATE TABLE/SELECT INTO, preventing false detections and UI
warnings.
* **Tests**
* Added unit and e2e regression tests covering dollar-quoted blocks,
nested dollar tags, DO blocks, SELECT INTO inside functions, and
positive controls with a real top-level CREATE TABLE.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Alaister Young <10985857+alaister@users.noreply.github.com>
Adds a pre-execution warning in the SQL editor when a `CREATE TABLE`
statement is run without enabling Row Level Security on the new table.
Responds to the press call-out around SQL editor security.
<img width="708" height="498" alt="Screenshot 2026-04-18 at 4 31 07 PM"
src="https://github.com/user-attachments/assets/4f23ed5e-f32c-46f0-b0da-ac6d4c661c7c"
/>
**Added:**
- Pre-execution check in `executeQuery` that detects `CREATE TABLE`
statements without a matching `ALTER TABLE ... ENABLE ROW LEVEL
SECURITY` in the same submitted SQL.
- New "Run and enable RLS" action in the warning modal that rewrites the
SQL to append `ALTER TABLE [schema.]<table> ENABLE ROW LEVEL SECURITY;`
for each detected table before running.
- Link in the modal to the RLS docs.
**Changed:**
- `RunQueryWarningModal` now renders `Dialog` directly (instead of
`ConfirmationModal`) so it can show three buttons: Cancel / Run without
RLS / Run and enable RLS.
- `sqlEventParser` table-name regex now supports quoted identifiers
containing spaces (e.g. `"My Table"`) and escaped quotes (e.g.
`"user""table"`).
The check runs against the SQL that's actually submitted, so
partial-selection works correctly — selecting only the `CREATE TABLE`
portion will trigger the warning even if there's a matching `ENABLE RLS`
lower in the editor.
## To test
- Open the SQL editor and run `create table foo (id int8 primary key);`
→ modal should appear with the RLS warning bullet and three buttons.
- Click **Run and enable RLS** → query runs, table is created with RLS
enabled.
- Click **Run without RLS** → query runs as written, no RLS.
- Run `create table foo (id int8); alter table foo enable row level
security;` → no modal (RLS already enabled in same submission).
- Run `create table public.bar (id int8); create table baz (id int8);
alter table baz enable rls;` → modal flags only `public.bar`.
- Select only the `create table` portion of a snippet that also enables
RLS lower down and run the selection → modal should still fire.
- Run an existing destructive query (`drop table x`) → modal still works
as before with two buttons (Cancel / Run this query).
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* SQL editor now detects CREATE TABLE statements missing Row Level
Security (RLS) and shows counts and dynamic table/schema details in a
redesigned warning dialog with updated pluralization and a “Learn more”
link.
* New actions: “Run without RLS” and, when available, “Run and enable
RLS” which applies RLS and runs the query; editor can execute an
overridden SQL payload when applying RLS changes.
* **Tests**
* Added comprehensive unit and e2e tests covering RLS detection, SQL
augmentation, trigger handling, identifier parsing, and the “Run and
enable RLS” flow.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Alaister Young <10985857+alaister@users.noreply.github.com>
## What kind of change does this PR introduce?
Chore / UI consistency fix. Resolves DEPR-418.
## What is the current behavior?
Shortcut hints are still hand-built in several high-traffic Studio
surfaces, which leads to inconsistent rendering and stale
platform-specific markup. Buttons in particular can end up with awkward
spacing and baseline alignment when shortcut labels are inserted
directly into the button text.
## What is the new behavior?
This PR standardises those shortcut hints around `KeyboardShortcut` and
updates the surrounding layout primitives to support that approach more
cleanly.
It includes:
- Design docs
- using `KeyboardShortcut` in the table side-panel `ActionBar`
- replacing hardcoded operation queue button shortcuts in
`OperationQueueSidePanel`
- standardising the command menu trigger shortcut chip and updating the
`LayoutHeader` overrides to match the new DOM shape
- replacing the AI editor empty-state `Cmd/Ctrl + K` hint with
`KeyboardShortcut`
- refining shared shortcut/button primitives so inline shortcuts align
better when used as button accessories
- keeping the SQL utility shortcut work on this branch consistent with
the same shared component approach
| Before | After |
| --- | --- |
| <img width="1454" height="902" alt="CleanShot 2026-03-27 at 15 55
32@2x"
src="https://github.com/user-attachments/assets/3a8de192-3f4c-480b-9d26-9b28becd0ee3"
/> | <img width="1488" height="906" alt="CleanShot 2026-03-27 at 15 29
31@2x-63A17C58-D023-4D3A-9355-6C40A6485328"
src="https://github.com/user-attachments/assets/46ef7f7a-2b8b-4c10-8935-84ca5ad44562"
/> |
| <img width="738" height="328" alt="CleanShot 2026-03-27 at 15 57
07@2x"
src="https://github.com/user-attachments/assets/ad459c41-867d-42f9-a8cb-c936af8326b7"
/> | <img width="726" height="290" alt="CleanShot 2026-03-27 at 15 56
29@2x-ECE4E10F-9693-4ED8-B085-DC436A839F52"
src="https://github.com/user-attachments/assets/95b4bfb4-ec34-4080-8b69-211b5045ca26"
/> |
## Later todo
- [ ] Replace the string-based SQL editor placeholder shortcut in
`SQLEditor` once that placeholder API supports rich content
- [ ] Refactor `CommandOption` to use `KeyboardShortcut` instead of
bespoke platform detection and command-key markup
- [ ] Standardise the remaining DataTable shortcut hints
(`DataTableToolbar`, `DataTableResetButton`, `DataTableFilterCommand`,
`DataTableFilterControlsDrawer`) around `KeyboardShortcut`
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Introduced a new KeyboardShortcut component for displaying keyboard
shortcuts with two visual variants (pill and inline).
* Standardized keyboard shortcut indicators across the application
interface for consistent user experience.
* **Bug Fixes**
* Fixed capitalization inconsistencies in button labels and hotkey
settings.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Problem
Some tests rely on hard coded timeouts. That makes them
- brittle if the timeout is not long enough
- take longer than necessary if the timeout is too long
## Solution
- Rely on playwright `expect` retries when possible
- Rely on UI updates when possible
## Context
Adds a warning if running an `ALTER DATABASE` command that prevents
connections to the database. This would lock the dashboard out of the
database, and re-configuring the setting will require a direct
connection to the DB
<img width="623" height="535" alt="image"
src="https://github.com/user-attachments/assets/4c388f4a-753b-4fd6-89c5-89dfaa52c859"
/>
## To test
- Could try running the following command in the SQL editor to check the
warning, this will show all the warnings
```
ALTER TABLE colors2 drop column sss;
update colors set name = 'test';
alter database postgres connection limit 0;
```
* Hide favorite and share actions for self-hosted version.
* Rename the query on save only on platform.
* Simplify useCheckOpenAiKeyQuery.
* Rename with AI now depends if the OPENAI_API_KEY is set.
* Minor fixes.
* Fix the tests to use .skip for skipping tests. Remove extra port params.
* Make the test for favourites work only on platform variant.
Table editor tests were being run serially because they would otherwise
stomp all over each other in setup. But this made them really slow. This
PR changes them to run in parallel, and makes sure the setup step runs
only once by using a file lock.
Also cleans up miscellaneous other sources of flakiness in tests.
Co-authored-by: Ali Waseem <waseema393@gmail.com>
* chore: add final e2e tests for table-editor and sql-editor
* chore: update tests to run in staging
* chore: minor updates
* chore: fix PR feedback
---------
Co-authored-by: Jordi Enric <37541088+jordienr@users.noreply.github.com>
* chore: add e2e test for sql editor snippets
* trigger build
* chore: fix failing test and add rls
---------
Co-authored-by: Terry Sutton <saltcod@gmail.com>
* add new e2e folder
* add local supabase and confitional storage
* fix e2e selfhosted
* update actions
* add correct e2e folder
* fix e2e actions
* fix action project ids
* fix permissions
* fix script
* fix playwright install
* playwright root
* pnpm i
* fix api rul
* add env docs
* update run script
* only install deps for e2e
* use same dep
* only install deps for tests
* upd lockfile
* use official vercel integration
* use vercel cli
* remove old folder
* fix script
* rm filter
* rename e2e studio package
* fix install browsers
* add polling for vercel build
* use vercel-preview-url package
* undo actions
* rename ci env to ci
* chore:add rls check and make playwright test less flakey (#35348)
* update ci action
* fix paths
* fix browser install
* run ci against staging
* try caching builds
* fix envs
* fix env check
* fix sign in
* fix sign in url
* fix envs and url
* fix caching
* fix race condition in sign in page
* fix race condition in sign in page
* add check to see if being redirected
* fix caching, check IS_PLATFORM var
* log is_platform
* try vercel build
* fix vercel project id
* fix path
* add temp vercel.json file
* fix paths
* undo project id stuff
* rm cwd
* fix path
* fix paths again
* fix path
* fix base url
* try different fix
* fix config base url
* fix base studio url issues
* retain video on fails
* Update e2e/studio/README.md
Co-authored-by: Copple <10214025+kiwicopple@users.noreply.github.com>
* Update e2e/studio/README.md
Co-authored-by: Copple <10214025+kiwicopple@users.noreply.github.com>
* fix env file naming
* undo caching
* rm old tests folder
* fix readme scripts
* rm vercel deploy for now, just run build locally
* fix url
* fix build script
* fix is_platform
* fix stuck studio start
* fix env vars
* retain network and logs on fail for better debugging
* add apiurl env
* back to vercel
* disable catpcha
* fix test
* update environment configuration to remove default URLs for CI and streamline API base URL handling
* fix typeerr
* fix urls in home.spec
* fix urls in logs.spec
* fix urls in sqleditor spec
* fix table editor spec
* add tourl util
* use staging api in ci
* re add base url env var
* fix url in projects page
* fix url in sql editor spec
* fix sign in not waiting for cookies omfg
* fix env var name
* fix sql-editor test
* simplify table removal
* add opt out telemetry step
* fix logs tests
* fix table editor spec
* remove flaky steps from table editor tests
* use vercel deployment events instead of build
* add studio check
* fix condition
* debug event
* rm if
* trigger deploy
* undo ac
* make opt out button step optional, some envs dont hav eit
* use testid for sql run button
* use id instaed of timestamp in logs tests
* empty
* rm retries
* up glbal timeout
* chore: fix failing sql-editor playwright test (#35767)
* chore: fix failing sql-editor playwright test
* chore: minor fixes
* Chore/update playwright config (#35826)
chore: update playwright config
* rm supabase project from e2e tests
* refactor and simplify environments
* fix sql editor test
* fix ci env vars
* fix
* fix on windows
* update readme
* add playwright install script to readme
* rm turbopack trace flag
* npm to pnpm for scripts
* delete ivan lines
---------
Co-authored-by: Michael Ong <minghao_3728@hotmail.com>
Co-authored-by: Copple <10214025+kiwicopple@users.noreply.github.com>
Alaister Young