Supabase•4y ago•

4 replies

Race condition with RLS

I have somewhat of a race condition but I'm not sure the exact execution order inside postgres.

I have

teams

teams

and

team_members

team_members

tables.

teams

teams

has an RLS policy for SELECT statements meaning only members of that team can read it (if currently authed user is present in the

team_members

team_members

table). There's also a similar policy on

team_members

team_members

.

I allow any

authenticated

authenticated

user to INSERT into

teams

teams

, and then a trigger will add a row to

team_members

team_members

with the user that created the team. Simple enough.

The issue is this insert fails because of the RLS policy - because I am returning a result from the modified row, my assumption being that when I

.select()

.select()

from the insert - the trigger has not yet been run and therefore no record exists in

team_members

team_members

.

If I comment out these lines

const res = await supabase
                .from('teams')
                .insert({
                    name: name,
                })
                .select() // <<< delete
                .single(); // <<< delete

const res = await supabase
                .from('teams')
                .insert({
                    name: name,
                })
                .select() // <<< delete
                .single(); // <<< delete

The insert works correctly - but I do need to know the ID of the team I just created for the app flow to work correctly.

Any thoughts?

Race condition with RLS

I have somewhat of a race condition but I'm not sure the exact execution order inside postgres.

I have

teams

teams

and

team_members

team_members

tables.

teams

teams

has an RLS policy for SELECT statements meaning only members of that team can read it (if currently authed user is present in the

team_members

team_members

table). There's also a similar policy on

team_members

team_members

.

I allow any

authenticated

authenticated

user to INSERT into

teams

teams

, and then a trigger will add a row to

team_members

team_members

with the user that created the team. Simple enough.

The issue is this insert fails because of the RLS policy - because I am returning a result from the modified row, my assumption being that when I

.select()

.select()

from the insert - the trigger has not yet been run and therefore no record exists in

team_members

team_members

.

If I comment out these lines

const res = await supabase
                .from('teams')
                .insert({
                    name: name,
                })
                .select() // <<< delete
                .single(); // <<< delete

const res = await supabase
                .from('teams')
                .insert({
                    name: name,
                })
                .select() // <<< delete
                .single(); // <<< delete

The insert works correctly - but I do need to know the ID of the team I just created for the app flow to work correctly.

Any thoughts?

Race condition with RLS

Similar Threads

Race condition with RLS

Similar Threads

Similar Threads

Similar Threads