Prevent supabase client updateUser (need help with trigger)

I'm trying to create a trigger that prevents updateUser from supabase client unless its auth.admin ('serviceRole')

CREATE OR REPLACE FUNCTION prevent_restricted_user_updates()
RETURNS TRIGGER AS $$
BEGIN
  IF current_setting('request.jwt.claim.sub', true) = 'service_role' THEN
    RETURN NEW;
  END IF;

  IF NEW.user_metadata IS DISTINCT FROM OLD.user_metadata OR
     NEW.email IS DISTINCT FROM OLD.email OR
     NEW.phone IS DISTINCT FROM OLD.phone THEN
    RAISE EXCEPTION 'Updating user_metadata, email, or phone is not allowed.';
  END IF;

  RETURN NEW;
END;
$$ LANGUAGE plpgsql;

CREATE OR REPLACE TRIGGER block_restricted_user_updates
BEFORE UPDATE ON auth.users
FOR EACH ROW
EXECUTE FUNCTION prevent_restricted_user_updates();

CREATE OR REPLACE FUNCTION prevent_restricted_user_updates()
RETURNS TRIGGER AS $$
BEGIN
  IF current_setting('request.jwt.claim.sub', true) = 'service_role' THEN
    RETURN NEW;
  END IF;

  IF NEW.user_metadata IS DISTINCT FROM OLD.user_metadata OR
     NEW.email IS DISTINCT FROM OLD.email OR
     NEW.phone IS DISTINCT FROM OLD.phone THEN
    RAISE EXCEPTION 'Updating user_metadata, email, or phone is not allowed.';
  END IF;

  RETURN NEW;
END;
$$ LANGUAGE plpgsql;

CREATE OR REPLACE TRIGGER block_restricted_user_updates
BEFORE UPDATE ON auth.users
FOR EACH ROW
EXECUTE FUNCTION prevent_restricted_user_updates();

this seems to do the trick, but messes up signin and signup.

whats wrong?

I'm trying to create a trigger that prevents updateUser from supabase client unless its auth.admin ('serviceRole')

CREATE OR REPLACE FUNCTION prevent_restricted_user_updates()
RETURNS TRIGGER AS $$
BEGIN
  IF current_setting('request.jwt.claim.sub', true) = 'service_role' THEN
    RETURN NEW;
  END IF;

  IF NEW.user_metadata IS DISTINCT FROM OLD.user_metadata OR
     NEW.email IS DISTINCT FROM OLD.email OR
     NEW.phone IS DISTINCT FROM OLD.phone THEN
    RAISE EXCEPTION 'Updating user_metadata, email, or phone is not allowed.';
  END IF;

  RETURN NEW;
END;
$$ LANGUAGE plpgsql;

CREATE OR REPLACE TRIGGER block_restricted_user_updates
BEFORE UPDATE ON auth.users
FOR EACH ROW
EXECUTE FUNCTION prevent_restricted_user_updates();

CREATE OR REPLACE FUNCTION prevent_restricted_user_updates()
RETURNS TRIGGER AS $$
BEGIN
  IF current_setting('request.jwt.claim.sub', true) = 'service_role' THEN
    RETURN NEW;
  END IF;

  IF NEW.user_metadata IS DISTINCT FROM OLD.user_metadata OR
     NEW.email IS DISTINCT FROM OLD.email OR
     NEW.phone IS DISTINCT FROM OLD.phone THEN
    RAISE EXCEPTION 'Updating user_metadata, email, or phone is not allowed.';
  END IF;

  RETURN NEW;
END;
$$ LANGUAGE plpgsql;

CREATE OR REPLACE TRIGGER block_restricted_user_updates
BEFORE UPDATE ON auth.users
FOR EACH ROW
EXECUTE FUNCTION prevent_restricted_user_updates();

this seems to do the trick, but messes up signin and signup.

whats wrong?

Prevent supabase client updateUser (need help with trigger)

Similar Threads

Prevent supabase client updateUser (need help with trigger)

Similar Threads

Similar Threads

Similar Threads