Show only exposed schemas to which the user has access in error message

[laurenceisla]

Problem

When a user uses an incorrect schema, it returns the error message with all exposed schemas:

$ curl 'localhost:3000/todos' -H 'Accept-Profile: wrong'

{
  ...,
  "message": "The schema must be one of the following: api, auth_api"
}

For this example, the anon user has not USAGE access to the auth_api schema, but it's still shown.

Solution

It's expected that any exposed schema is already accessible by any request (the burden is on the dev to secure it), but it wouldn't hurt to show only the allowed schemas for the specific role in the error message, i.e.:

$ curl 'localhost:3000/todos' -H 'Accept-Profile: wrong'

{
  ...,
  "message": "The schema must be one of the following: api"
}

Adding the usage to the cached user profile and using it to filter the schemas should do it:

postgrest/src/PostgREST/Config/Database.hs

Lines 134 to 135 in 60d92f6

	queryRoleSettings :: PgVersion -> Bool -> Session (RoleSettings, RoleIsolationLvl)
	queryRoleSettings pgVer prepared =

[steve-chavez]

I don't see harm in providing a bit of security through obscurity.