RLS Violation
Hey guys, I just started using supabase and I am having some trouble. I created a form where users can sign up and it adds them to the authentication users table but I created a Users table in public which should store some additional information. I added RLS to it but whenever I try creating an account this gets printed: new row violates row-level security policy for table "Users". I have added photos of the policies I am using for the Users table, any help would be really appericated.
49 Replies
How are you adding data to the table?
Do you have a signed in user session when you make the call? You can use auth.getSession to check or I believe the API Gateway log has an authentication section that shows what user is making the request.
Sorry I am very new to supabase and this whole stuff, what do you mean exactly
How are you adding data to your Users table?
for the insert, here is my code
const handleSubmit = async (e: React.FormEvent) => {
e.preventDefault();
if (!validateForm()) { return; } setIsLoading(true); try { const { data: authData, error: authError} = await supabase.auth.signUp({ email, password, }); if (authError) throw authError; if (!authData.user) throw new Error('User creation failed'); const {error: dbError } = await supabase.from('Users').insert({ id: authData.user.id, username: username, name: name, }); if (dbError) throw dbError; setSubmitMessage('Account created successfully! Please check your email to verify your account.'); setEmail(''); setPassword(''); setName(''); setUsername(''); } catch (error: any) { console.error('Signup error:', error); setSubmitMessage(error.message || 'An error occurred during signup. Please try again.'); } finally { setIsLoading(false); } };
if (!validateForm()) { return; } setIsLoading(true); try { const { data: authData, error: authError} = await supabase.auth.signUp({ email, password, }); if (authError) throw authError; if (!authData.user) throw new Error('User creation failed'); const {error: dbError } = await supabase.from('Users').insert({ id: authData.user.id, username: username, name: name, }); if (dbError) throw dbError; setSubmitMessage('Account created successfully! Please check your email to verify your account.'); setEmail(''); setPassword(''); setName(''); setUsername(''); } catch (error: any) { console.error('Signup error:', error); setSubmitMessage(error.message || 'An error occurred during signup. Please try again.'); } finally { setIsLoading(false); } };
Are you requiring the user to confirm their email?
I disabled that feature as I wanted to make sure its working rn
The code you are showing will not work in "real life" as signup does not return a user session if you want to confirm their email is real, which you do. It might work for testing if you have that off as then signup does return a session.
Go to the dashboard logs session and API Gateway log and look for /rest/v1/Users
You should see an error on it.
Then look in the details and scroll down until you see an authorization section.
Ok let me see
Ya it saws its invalid
Okay what would be the alternative to this then?
regarding the code
or are you just saying that email vertification needs to be on in real life (which I understand)
That does say you have an authenticated user.
The normal way is using this process:
https://supabase.com/docs/guides/auth/managing-user-data
That sets up a trigger on auth.users when a new user is created and you pass your data in as part of signUp data option. It populates your public table for you.
When looking at my table the Users table in public
it is designed like this
shouldnt this get the uid from auth as well?
Also I would like to add that it does create a user in the auth table, just has an error in the Users table
So what is wrong in my policies then?
Ahh...
You used restrictive. You really should never use that. Permissive is the default and simpler method.
Oh
could you tell me the difference between using permissive and restrictive
cus isnt restrictive more secure?
also is that the case for all policies?
Always use permissive.
That means you are allowing a user that meets the policy to have access. No policies and no access.
Restrictive means you are blocking a specific user or type of user. But it also requires first a permissive policy that it then "subtracts" from.
Ohhhhhhhh
Okay I get
I don't even look at that part of a policy when helping people as it is so rarely used and the issue is usually something else.
Ya 😂
Thank you for all your help man
Ideally youd want to use a trigger function so Supabase automatically populates the Users table for you whenever a new user is created in auth
ah okay thank you
Yo I tried to make the trigger function but it does not populate my Users table.
Do you know what the issue is?
or @garyaustin if you know
I think youre watching the wrong table
is the "Users" table part of Auth or is that the custom table you yourself made?
Tariq is correct you are putting your trigger on Users and not auth.users as the guide suggests.
Also you really should not use capital letters for names of things in Postgres.
Where you have public.Users in your code has to be public."Users" because of that. All tables or columns with capitals have to be in double quotes.
Do they let you watch the auth.users table? Because I cant find it in the select field
When i did it I wrote the trigger manually with the sql editor
You add the trigger thru SQL.
Sort of a minimal test of should you be adding something to a reserved schema I guess.
i see
Okay I understand, would I also create the function in SQL
or is the trigger neough
enough
like should this work?
or do I have to connect it to something as well
possibly, im not an expert on sql to be honest with you
the only difference with mine is that i wrote "procedure" instead of "function" and "public.create_new_user()" instead of "create_new_user()"
Your trigger is fine.
Make sure you remove the trigger on Users.
Yup I did
let me test it out
you might have to Run it first for it to take effect, im not sure
Run what?
the query
Yes for sure.
oh I forgot the on hahahaa
okay it worked thought thank you guys
np
this stuff kinda confusing no or just me hahaha
make sure you remove the code where you add data to the Users table since you wont need it anymore
If you get errors signing up, you will need to check the Postgres logs for help debugging your trigger function.
For instance if you forgot security definer type for the function or left it as public.Users without "Users".
The log will give the specific issue versus just 500 DB error.
Ah okay
hey guys have you guys created your projects with next.js
Because I want to get the session right on different components
but I am not sure how to exactly do that
Should I create one general file which gets the session and then in each component get the session
or wrap the layout with a session 'container', but that would cause the whole application to use client
Wrapping a server component with a client component doesn't turn it into a client component
The children between the client component would still be server components
But regardless ur not meant to do it that way, no
You'd want to follow this guide first
Okay thanks I will look into this