S
Supabase4mo ago
eric44

Recursion errors?

im usddenly having errors on my upsert to profiles table? I had the AI make the policies. 
Profile upsert error: infinite recursion detected in policy for relation "profiles" null
Failed to submit profile: {
  code: '42P17',
  details: null,
  hint: null,
  message: 'infinite recursion detected in policy for relation "profiles"'
Profile upsert error: infinite recursion detected in policy for relation "profiles" null
Failed to submit profile: {
  code: '42P17',
  details: null,
  hint: null,
  message: 'infinite recursion detected in policy for relation "profiles"'
an example of one of the policies it made: 
alter policy "Allow users to insert their own profiles"
on "public"."profiles"
to authenticated
with check (
  (( SELECT auth.uid() AS uid) = id)
);
alter policy "Allow users to insert their own profiles"
on "public"."profiles"
to authenticated
with check (
  (( SELECT auth.uid() AS uid) = id)
);
18 Replies
eric44
eric44OP4mo ago
the AS uid seems to break it. and causes the recursion
garyaustin
garyaustin4mo ago
Your error is likely on a select policy where you are trying to look at the same table. You can't select from the table in the select policy as you have to meet the policy. So recursion. One way to solve is to put the select on the table in a security definer function so it bypasses RLS. Just make sure to use auth.uid() in the function and not pass it for security. The insert policy you show will not cause recursion.
eric44
eric44OP4mo ago
i have 4 simple policies. they are all the same. the select, insert, delete, update are all the same to allow current user to edit their own row i was able to fix it by removing the SELECT inside and just do (id = auth.uid()) is that bad?
garyaustin
garyaustin4mo ago
Maybe show your select policy currently. You should wrap auth.uid() with select for performance. That is not the same as selecting from the profile table itself in the select policy.
garyaustin
garyaustin4mo ago
That policy used for USING in select policy is correct to allow user to see their own row. It will not cause recursion.
No description
eric44
eric44OP4mo ago
well... it is :/
garyaustin
garyaustin4mo ago
I highly doubt it.
eric44
eric44OP4mo ago
then what is causing the error? it went away by removing the select my select on profiles table was public before. i now have it set to be seen only by the current id
garyaustin
garyaustin4mo ago
Please show your original policy that was failing.
eric44
eric44OP4mo ago
i dont know exactly which one i just know it was one of the 5 i had. ill show u the last one i have which is unique
eric44
eric44OP4mo ago
No description
eric44
eric44OP4mo ago
i dont want a user updating the folder column
garyaustin
garyaustin4mo ago
For performance you want to wrap auth.uid() in a select...https://supabase.com/docs/guides/database/postgres/row-level-security#call-functions-with-select The policy you just showed will not work as you are selecting profiles. That will cause recursion.
eric44
eric44OP4mo ago
so its the folder one huh? i wanted to stop them from editing that colymn once its made
garyaustin
garyaustin4mo ago
If you need to do that then you have to move the code in that to a security definer function and return folder to compare.
eric44
eric44OP4mo ago
its where i store there images
garyaustin
garyaustin4mo ago
You can't use RLS to protect columns normally. You can use an update trigger. And block column changes by setting new.col = old.col or raise error if it is changing. Typically I see users using a folder name with the user UUID so you automatically know their folder or even using a bucket per user with the UUID as the name of the bucket.
eric44
eric44OP4mo ago
i made a nanoid for the folder column and used that i guess i could use the user id... this was back when i felt scared to revela that id in a url

Did you find this page helpful?