RLS applying to many to many relationship

What I want: a user in Supabase to have read/write access to a specific club within a school. I also want that user to only be able to access students that belong to that club.

What I have: a RLS rule that successfully only returns clubs I should have access to. But if I get the list of students I get all students.

Supabase tables:

student:
first_name

student_club:
student_id,
club_id

club:
name

student:
first_name

student_club:
student_id,
club_id

club:
name

student:
first_name

student_club:
student_id,
club_id

club:
name

student:
first_name

student_club:
student_id,
club_id

club:
name

RLS for club table:

(uid() IN ( SELECT profiles.user_id
   FROM profiles
  WHERE (profiles.club_id = club.id)))

(uid() IN ( SELECT profiles.user_id
   FROM profiles
  WHERE (profiles.club_id = club.id)))

(uid() IN ( SELECT profiles.user_id
   FROM profiles
  WHERE (profiles.club_id = club.id)))

(uid() IN ( SELECT profiles.user_id
   FROM profiles
  WHERE (profiles.club_id = club.id)))

RLS is enabled for

club

club

club

club with the above rule and disabled on the other tables.

Do I need to add similar rules to the students and student_club tables? I was hoping I'd write essentially one rule and it would cover all the cases to reduce chances of bugs

RLS applying to many to many relationship

Similar Threads

Similar Threads

Similar Threads