Allow RPC only for RLS query
Hey, another question from my side. I'm using postgres function to check something in rls. But this function can be also called by client side user. Is there a way to allow running this function only server? And block it to run from client side?
4 Replies
This has several options: https://github.com/supabase/supabase/discussions/3591
GitHub
How do a I restrict an RPC API (postgres function) to the service_r...
Hi, I have a postgres plpgsql function which gets exposed via Supabase Postgrest as an RPC API call. Very nice. However, in this particular use case I only want this API call to be callable by the ...
Thanks for answer. If I understood correctly it's okay, when I want to run with service key, and not with public. But my problem is (I guess) more complicated. Since RLS will run with user rights, ill get
authenticated in both cases. Maybe there is other way to distinguish if function was run by client, bu calling supabase.rpc or if function was run with rls policy.Hmmm so you are not using service_role, but just the user jwt. If so the API cannot tell the difference in the two requests (server, browser). You could call with service_role and pass in the user_id and check the service_role called then use the user_id passed in.
That's good idea. But i would like to use it with public key. In my case is check for users in space etc. I'll just throw denied if user is not in space and should be okay. I just dont want users outside space to get result of that function.