Supabase Security Advisor Fix Planner

Paste redacted function notes or an advisor warning and generate a safe fix plan for Function Search Path Mutable, public.handle_new_user, trigger sign-up paths, search_path, and broad function execution grants.

Use this when

1
Advisor warns on a functionYou see Function Search Path Mutable or a function_search_path_mutable lint finding.
2
Auth signup uses a triggerA handle_new_user function writes a profile row and a bad fix could block signups.
3
Execution grants are unclearYou need to decide whether anon, authenticated, or public should be able to execute the function.

Project label Paste redacted function, trigger, grant, or advisor notes

Use redacted SQL only. Do not paste secrets, private connection strings, real user data, customer records, payment data, private screenshots, full names, private handles, full transaction identifiers, credential values, service-role keys, or dashboard screenshots. This page runs locally in the browser and does not use network requests, browser storage, or a backend.

Ready.

Fix plan

Safe remediation checklist

Put set search_path = '' in the function declaration when that is compatible with the function, then schema-qualify relations such as public.profiles.
Do not treat a first line inside the function body as the same thing as a function-level search_path setting.
If the function is a security definer trigger such as public.handle_new_user, smoke-test real signup after the migration because trigger failures can block auth signup.
Record pg_proc.proconfig or equivalent migration evidence so the advisor warning can be tied to the deployed function, not a stale copy.
Revoke broad EXECUTE from public, anon, and authenticated unless the function is intentionally callable by those roles.
When broad execution is required, keep caller-bound checks and anon/authenticated regression tests in the launch handoff.
For stable SQL set-returning functions, also review whether adding SET search_path changes query-plan inlining before calling the fix done.

Check paid report scope Open RPC/view audit Open CLI release

Need a second pass?

The fixed-scope report can review one redacted Supabase function/advisor packet: likely safe patch shape, grants to tighten, signup or RPC smoke tests, and the exact evidence to keep before rerunning Security Advisor. The sample report is fictional and shows the report shape before checkout.

Buy $25 Supabase report Read sample report

Source-backed problem set

Supabase database functions Official docs cover security definer, search_path, and function execution privileges. Supabase user management Official docs show the handle_new_user trigger pattern with a function-level search_path. Supabase Security Advisor Official docs list Function Search Path Mutable as a Security Advisor check. Live builder failure shape Public question combines a handle_new_user warning with signup failure confusion.