From 3c71d060665ce5a70715bed3acfed65e5808d433 Mon Sep 17 00:00:00 2001
From: Dan Lynch <pyramation@gmail.com>
Date: Sun, 10 May 2026 09:36:30 +0000
Subject: [PATCH] fix: correct mutation variable shapes and expand
 expectRlsDenied patterns
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Update mutations: patch → appFilePatch/appBucketPatch (PostGraphile v5 input types)
- Add 'No values were' pattern to expectRlsDenied (RLS USING-clause denials on delete/update)
---
 .../server-test/__tests__/upload.integration.test.ts  | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/graphql/server-test/__tests__/upload.integration.test.ts b/graphql/server-test/__tests__/upload.integration.test.ts
index 08fd9226a..195b4f400 100644
--- a/graphql/server-test/__tests__/upload.integration.test.ts
+++ b/graphql/server-test/__tests__/upload.integration.test.ts
@@ -240,7 +240,8 @@ function expectRlsDenied(
     expect(
       msg.includes('permission denied') ||
         msg.includes('new row violates row-level security') ||
-        msg.includes('insufficient_privilege'),
+        msg.includes('insufficient_privilege') ||
+        msg.includes('No values were'),
     ).toBe(true);
     return;
   }
@@ -607,7 +608,7 @@ describe('Integration tests (uploads, tenant isolation, RLS)', () => {
       const res = await postGraphQLViaApi(bobDatabaseId, 'bob-app', {
         query: UPDATE_APP_FILE,
         variables: {
-          input: { id: bobSeededPublicFileId, patch: { bucketId: bobPrivateBucketId } },
+          input: { id: bobSeededPublicFileId, appFilePatch: { bucketId: bobPrivateBucketId } },
         },
       });
       expectRlsDenied(res, 'updateAppFile');
@@ -617,7 +618,7 @@ describe('Integration tests (uploads, tenant isolation, RLS)', () => {
       const res = await postGraphQLViaApi(bobDatabaseId, 'bob-app', {
         query: UPDATE_APP_FILE,
         variables: {
-          input: { id: bobSeededPublicFileId, patch: { isPublic: false } },
+          input: { id: bobSeededPublicFileId, appFilePatch: { isPublic: false } },
         },
       });
       expectRlsDenied(res, 'updateAppFile');
@@ -654,7 +655,7 @@ describe('Integration tests (uploads, tenant isolation, RLS)', () => {
       const res = await postGraphQLViaApi(malloryDatabaseId, 'mallory-app', {
         query: UPDATE_APP_FILE,
         variables: {
-          input: { id: malloryPublicFileId, patch: { filename: 'hacked.txt' } },
+          input: { id: malloryPublicFileId, appFilePatch: { filename: 'hacked.txt' } },
         },
       });
       expectRlsDenied(res, 'updateAppFile');
@@ -695,7 +696,7 @@ describe('Integration tests (uploads, tenant isolation, RLS)', () => {
       const res = await postGraphQLViaApi(bobDatabaseId, 'bob-app', {
         query: UPDATE_APP_BUCKET,
         variables: {
-          input: { id: bobPublicBucketId, patch: { isPublic: false } },
+          input: { id: bobPublicBucketId, appBucketPatch: { isPublic: false } },
         },
       });
       expectRlsDenied(res, 'updateAppBucket');