fix(exam): source-pdf download reads files row via service role (S4-8.1 merge-gate fix 2)

Pre-merge smoke caught a second issue: the source_file_id download path read `files` as-the-user, tripping a PRE-EXISTING broken RLS policy on cabinet_memberships (42P17 infinite recursion). Authz is already enforced (template fetch + source visibility), and source_file_id is the template's own file, so resolve the row via service role (documented exception, same as the catalogue lookup). Flagged the cabinet_memberships RLS recursion separately as infra bug E8. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-06 22:54:24 +00:00 · 2026-06-06 22:54:24 +00:00 · a37bcaa935
commit a37bcaa935
parent c0775f3be1
1 changed files with 5 additions and 1 deletions
--- a/routers/exam/templates.py
+++ b/routers/exam/templates.py
@ -322,8 +322,12 @@ async def get_template_source_pdf(
        except ValueError:
            raise HTTPException(status_code=404, detail="Template source not found")
    elif template.get("source_file_id"):
+        # Resolve the file row via service role (authz already done above: the caller proved they
+        # can see this template, and source_file_id is the template's own file). Reading `files`
+        # as-the-user trips a pre-existing broken RLS policy on cabinet_memberships
+        # (42P17 infinite recursion) — documented service-role exception, like the catalogue lookup.
        file_row = _first(
-            ctx.supabase.table("files")
+            SupabaseServiceRoleClient().supabase.table("files")
            .select("bucket, path, mime_type, name")
            .eq("id", template["source_file_id"])
            .limit(1)