Update grantPermissions.js to use double quotes

[toddejohnson]

#710 (comment)

[gemini-code-assist]

Summary of Changes

Hello @toddejohnson, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request refines the database permission granting mechanism by ensuring that the application user's role name is always properly quoted in SQL GRANT statements. This change enhances the robustness of the permission script, preventing potential issues that could arise from unquoted identifiers in PostgreSQL, thereby improving the reliability of database setup and access control.

Highlights

• Database Permissions: Updated the grantPermissions.js script to consistently enclose the appUser variable in double quotes within all PostgreSQL GRANT statements. This ensures proper handling of database role names, especially those that might contain special characters or require case sensitivity.

Changelog

• SparkyFitnessServer/db/grantPermissions.js
  • Modified all GRANT and ALTER DEFAULT PRIVILEGES SQL queries to enclose the appUser variable in double quotes.

Activity

• No specific activity (comments, reviews, or progress updates) has been recorded for this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

The pull request adds double quotes to role names in SQL queries, which is a good step for correctness with case-sensitive names. However, it leaves a potential SQL injection vulnerability if the role name contains double quotes. My review includes a suggestion to properly escape the role name identifier, which also refactors the repetitive query calls into a more maintainable loop. This improves both security and code quality.

[CodeWithCJ]

@toddejohnson Thanks a lot for your PR

[Sim-sat]

@toddejohnson this prevents to start the server. Using a fresh clone with commit 30c01a4 leads to errors:

UTH] Synced trusted SSO providers for auto-linking: [] [2026-02-22T06:22:27.253Z] [ERROR] Error applying migrations: error: zero-length delimited identifier at or near """" at /app/SparkyFitnessServer/node_modules/pg/lib/client.js:588:17 at process.processTicksAndRejections (node:internal/process/task_queues:105:5) at async applyMigrations (/app/SparkyFitnessServer/utils/dbMigrations.js:20:7) { length: 111, severity: 'ERROR', code: '42601', detail: undefined, hint: undefined, position: '13', internalPosition: undefined, internalQuery: undefined, where: undefined, schema: undefined, table: undefined, column: undefined, dataType: undefined, constraint: undefined, file: 'scan.l', line: '1188', routine: 'scanner_yyerror' } [nodemon] app crashed - waiting for file changes before starting... simsat@pop-os:~/dev/SparkyFitness$

[CodeWithCJ]

oh no.. fixing it now. And I also saw OAuth is triggering before even DB migration and RLS are completed. So causing issue to first time deployment users. both will be fixed in next PR

[toddejohnson]

Perhaps I should switch back and let parameterized query handle the quoting and escaping?