Protected columns?

Hey, I'm new to Supabase and postgresql in general, and I am trying to secure a

public.profiles

public.profiles

table in the database:

create table public.profiles (
  id uuid references auth.users not null,
  username text unique not null,
  email text unique not null,
  created_at timestamp with time zone,
  updated_at timestamp with time zone,
  avatar_url text,

  primary key (id),
  unique(username),
  constraint username_length check (char_length(username) >= 3)
);

create table public.profiles (
  id uuid references auth.users not null,
  username text unique not null,
  email text unique not null,
  created_at timestamp with time zone,
  updated_at timestamp with time zone,
  avatar_url text,

  primary key (id),
  unique(username),
  constraint username_length check (char_length(username) >= 3)
);

I therefore implemented RLS so that users are only allowed to edit their own profile:

-- ...
create policy "Users can update their own profile." on public.profiles
  for update using (auth.uid() = id);
-- ...

-- ...
create policy "Users can update their own profile." on public.profiles
  for update using (auth.uid() = id);
-- ...

But, if I haven't missed anything, I guess users would be able to edit any column in their profile, including

id

id

email

email

created_at

created_at

and

updated_at

updated_at

in this case. So what can I do to prevent that?

Thanks in advance for the help!

Supabase•4y ago•

3 replies

Pierre_

Protected columns?

Hey, I'm new to Supabase and postgresql in general, and I am trying to secure a

public.profiles

public.profiles

table in the database:

create table public.profiles (
  id uuid references auth.users not null,
  username text unique not null,
  email text unique not null,
  created_at timestamp with time zone,
  updated_at timestamp with time zone,
  avatar_url text,

  primary key (id),
  unique(username),
  constraint username_length check (char_length(username) >= 3)
);

create table public.profiles (
  id uuid references auth.users not null,
  username text unique not null,
  email text unique not null,
  created_at timestamp with time zone,
  updated_at timestamp with time zone,
  avatar_url text,

  primary key (id),
  unique(username),
  constraint username_length check (char_length(username) >= 3)
);

I therefore implemented RLS so that users are only allowed to edit their own profile:

-- ...
create policy "Users can update their own profile." on public.profiles
  for update using (auth.uid() = id);
-- ...

-- ...
create policy "Users can update their own profile." on public.profiles
  for update using (auth.uid() = id);
-- ...

But, if I haven't missed anything, I guess users would be able to edit any column in their profile, including

id

id

email

email

created_at

created_at

and

updated_at

updated_at

in this case. So what can I do to prevent that?

Thanks in advance for the help!

Protected columns?

Similar Threads

Protected columns?

Similar Threads

Similar Threads

Similar Threads