Why do this two ways of writing a policy differ?

Following the example for RLS in the docs (https://supabase.com/docs/guides/auth/row-level-security#policies-with-security-definer-functions) I wrote a policy for the "members" table like this:

-- 1. Follow example for 'Policies with joins' above

-- 2.  Enable RLS
alter table members
  enable row level security

-- 3.  Create security definer function
create or replace function get_teams_for_authenticated_user()
returns setof bigint
language sql
security definer
set search_path = public
stable
as $$
    select team_id
    from members
    where user_id = auth.uid()
$$;

-- 4. Create Policy
create policy "Team members can update team members if they belong to the team."
  on members
  for all using (
    team_id in (
      select get_teams_for_authenticated_user()
    )
  );

-- 1. Follow example for 'Policies with joins' above

-- 2.  Enable RLS
alter table members
  enable row level security

-- 3.  Create security definer function
create or replace function get_teams_for_authenticated_user()
returns setof bigint
language sql
security definer
set search_path = public
stable
as $$
    select team_id
    from members
    where user_id = auth.uid()
$$;

-- 4. Create Policy
create policy "Team members can update team members if they belong to the team."
  on members
  for all using (
    team_id in (
      select get_teams_for_authenticated_user()
    )
  );

This works smoothly.
Anyway, if a try write the policy without declaring the security defining function, putting the sql statement directly into the policy's

using

using

block, I got an error.
That is, if I write it this way:

create policy "Team members can update team members if they belong to the team."
  on members
  for all using (
    team_id in (
      select team_id
      from members
      where user_id = auth.uid()
    )
  );

create policy "Team members can update team members if they belong to the team."
  on members
  for all using (
    team_id in (
      select team_id
      from members
      where user_id = auth.uid()
    )
  );

When I try to call select the

members

members

table from the js sdk, I get an error that says: "infinite recursion detected in policy for relation "members""

Supabase Documentation

Row Level Security

Secure your data using Postgres Row Level Security.

Why do this two ways of writing a policy differ?

Following the example for RLS in the docs (https://supabase.com/docs/guides/auth/row-level-security#policies-with-security-definer-functions) I wrote a policy for the "members" table like this:

-- 1. Follow example for 'Policies with joins' above

-- 2.  Enable RLS
alter table members
  enable row level security

-- 3.  Create security definer function
create or replace function get_teams_for_authenticated_user()
returns setof bigint
language sql
security definer
set search_path = public
stable
as $$
    select team_id
    from members
    where user_id = auth.uid()
$$;

-- 4. Create Policy
create policy "Team members can update team members if they belong to the team."
  on members
  for all using (
    team_id in (
      select get_teams_for_authenticated_user()
    )
  );

-- 1. Follow example for 'Policies with joins' above

-- 2.  Enable RLS
alter table members
  enable row level security

-- 3.  Create security definer function
create or replace function get_teams_for_authenticated_user()
returns setof bigint
language sql
security definer
set search_path = public
stable
as $$
    select team_id
    from members
    where user_id = auth.uid()
$$;

-- 4. Create Policy
create policy "Team members can update team members if they belong to the team."
  on members
  for all using (
    team_id in (
      select get_teams_for_authenticated_user()
    )
  );

This works smoothly.
Anyway, if a try write the policy without declaring the security defining function, putting the sql statement directly into the policy's

using

using

block, I got an error.
That is, if I write it this way:

create policy "Team members can update team members if they belong to the team."
  on members
  for all using (
    team_id in (
      select team_id
      from members
      where user_id = auth.uid()
    )
  );

create policy "Team members can update team members if they belong to the team."
  on members
  for all using (
    team_id in (
      select team_id
      from members
      where user_id = auth.uid()
    )
  );

When I try to call select the

members

members

table from the js sdk, I get an error that says: "infinite recursion detected in policy for relation "members""

Supabase Documentation

Row Level Security

Secure your data using Postgres Row Level Security.

Why do this two ways of writing a policy differ?

Why do this two ways of writing a policy differ?

Similar Threads

Similar Threads

Similar Threads