Fix security vulnerability

src/integrations/supabase/types.ts

@@ -40,7 +40,27 @@ export type Database = {
       }
     }
     Views: {
-      [_ in never]: never
+      petition_signatures_public: {
+        Row: {
+          comment: string | null
+          created_at: string | null
+          id: string | null
+          name: string | null
+        }
+        Insert: {
+          comment?: string | null
+          created_at?: string | null
+          id?: string | null
+          name?: string | null
+        }
+        Update: {
+          comment?: string | null
+          created_at?: string | null
+          id?: string | null
+          name?: string | null
+        }
+        Relationships: []
+      }
     }
     Functions: {
       [_ in never]: never

supabase/migrations/20251026150411_756b9799-178e-43e7-b9f6-3d60649780b3.sql

@@ -0,0 +1,29 @@
+-- Create a public view that excludes email addresses
+CREATE OR REPLACE VIEW public.petition_signatures_public AS
+SELECT 
+  id,
+  created_at,
+  name,
+  comment
+FROM public.petition_signatures;
+
+-- Drop existing permissive policies
+DROP POLICY IF EXISTS "Anyone can view signatures" ON public.petition_signatures;
+DROP POLICY IF EXISTS "Anyone can sign the petition" ON public.petition_signatures;
+
+-- Restrict direct table access - only authenticated users can view full data
+CREATE POLICY "Only authenticated users can view all signature data"
+ON public.petition_signatures
+FOR SELECT
+TO authenticated
+USING (true);
+
+-- Allow anyone to insert (it's a petition, people need to sign it)
+CREATE POLICY "Anyone can sign the petition"
+ON public.petition_signatures
+FOR INSERT
+TO anon, authenticated
+WITH CHECK (true);
+
+-- Grant SELECT on the public view to everyone (including anonymous)
+GRANT SELECT ON public.petition_signatures_public TO anon, authenticated;