Prevent supabase client updateUser (need help with trigger)

I'm trying to create a trigger that prevents updateUser from supabase client unless its auth.admin ('serviceRole')

CREATE OR REPLACE FUNCTION prevent_restricted_user_updates()
RETURNS TRIGGER AS $$
BEGIN
  IF current_setting('request.jwt.claim.sub', true) = 'service_role' THEN
    RETURN NEW;
  END IF;

  IF NEW.user_metadata IS DISTINCT FROM OLD.user_metadata OR
     NEW.email IS DISTINCT FROM OLD.email OR
     NEW.phone IS DISTINCT FROM OLD.phone THEN
    RAISE EXCEPTION 'Updating user_metadata, email, or phone is not allowed.';
  END IF;

  RETURN NEW;
END;
$$ LANGUAGE plpgsql;

CREATE OR REPLACE TRIGGER block_restricted_user_updates
BEFORE UPDATE ON auth.users
FOR EACH ROW
EXECUTE FUNCTION prevent_restricted_user_updates();

CREATE OR REPLACE FUNCTION prevent_restricted_user_updates()
RETURNS TRIGGER AS $$
BEGIN
  IF current_setting('request.jwt.claim.sub', true) = 'service_role' THEN
    RETURN NEW;
  END IF;

  IF NEW.user_metadata IS DISTINCT FROM OLD.user_metadata OR
     NEW.email IS DISTINCT FROM OLD.email OR
     NEW.phone IS DISTINCT FROM OLD.phone THEN
    RAISE EXCEPTION 'Updating user_metadata, email, or phone is not allowed.';
  END IF;

  RETURN NEW;
END;
$$ LANGUAGE plpgsql;

CREATE OR REPLACE TRIGGER block_restricted_user_updates
BEFORE UPDATE ON auth.users
FOR EACH ROW
EXECUTE FUNCTION prevent_restricted_user_updates();

CREATE OR REPLACE FUNCTION prevent_restricted_user_updates()
RETURNS TRIGGER AS $$
BEGIN
  IF current_setting('request.jwt.claim.sub', true) = 'service_role' THEN
    RETURN NEW;
  END IF;

  IF NEW.user_metadata IS DISTINCT FROM OLD.user_metadata OR
     NEW.email IS DISTINCT FROM OLD.email OR
     NEW.phone IS DISTINCT FROM OLD.phone THEN
    RAISE EXCEPTION 'Updating user_metadata, email, or phone is not allowed.';
  END IF;

  RETURN NEW;
END;
$$ LANGUAGE plpgsql;

CREATE OR REPLACE TRIGGER block_restricted_user_updates
BEFORE UPDATE ON auth.users
FOR EACH ROW
EXECUTE FUNCTION prevent_restricted_user_updates();

CREATE OR REPLACE FUNCTION prevent_restricted_user_updates()
RETURNS TRIGGER AS $$
BEGIN
  IF current_setting('request.jwt.claim.sub', true) = 'service_role' THEN
    RETURN NEW;
  END IF;

  IF NEW.user_metadata IS DISTINCT FROM OLD.user_metadata OR
     NEW.email IS DISTINCT FROM OLD.email OR
     NEW.phone IS DISTINCT FROM OLD.phone THEN
    RAISE EXCEPTION 'Updating user_metadata, email, or phone is not allowed.';
  END IF;

  RETURN NEW;
END;
$$ LANGUAGE plpgsql;

CREATE OR REPLACE TRIGGER block_restricted_user_updates
BEFORE UPDATE ON auth.users
FOR EACH ROW
EXECUTE FUNCTION prevent_restricted_user_updates();

this seems to do the trick, but messes up signin and signup.

whats wrong?

Prevent supabase client updateUser (need help with trigger)

Similar Threads

Similar Threads

Similar Threads