S
Supabase•3w ago
Rasan II

Someone explain RLS for me

I think a new update has come where all my tables have a "Unrestricted" warning on them. I understand that RLS is for security, I understand that it makes only authenticated people access your data, however, the idea is if you're creating a private system, that's to be accessed by only a few employees in a small business, is it still necessary? what risks am I taking if I don't implement them ? and what are some best practices for them?
12 Replies
Daniel H. Alcojor
Daniel H. Alcojor•3w ago
RLS dictates how users (or not-users) access your data. If you don't implement any policy, then anyone (user or not) can access and edit data. You really need to put some policies in place if you want your data secured.
Rasan II
Rasan IIOP•3w ago
Okay but let's say I do not do them, how exactly do the non-users get access to my data ? using what methods? don't they need some projectID / API Key or something ? I'm certain it's necessary for data security and I will implement them, I just want to know the risks of not doing them
Michael
Michael•3w ago
Just by querying your databaese, it's completely public Yeah but most likely you show one of your keys in any client-facing application
Rasan II
Rasan IIOP•3w ago
That's very likely you're right
Michael
Michael•3w ago
It basically turns your anon key into a service role key, which is not what you want
Rasan II
Rasan IIOP•3w ago
And usually doing authenticated is good enough I suppose? So that only people who have accounts get access ? Like allow only authenticated users to access the data ? And then supabase auth handles the security this way People who have registered or a superadmin made accounts for?
Michael
Michael•3w ago
wdym? @Rasan II you are asking how to enable RLS properly?
Rasan II
Rasan IIOP•3w ago
I remember RLS policies You set "authenticated users can read/write" Is this one of the most common setups ? Or are there other layers to it? Cus then if someone has my key, but no account, they can't fiddle
uldynia 🪻
uldynia 🪻•3w ago
Yes, authenticated users can read/write, add one more policy so anon users can only read.
Rasan II
Rasan IIOP•3w ago
So anon is also a category of users I can block/allow Authenticated is a category of people I can block/allow This is good info Any other common user type ?
uldynia 🪻
uldynia 🪻•3w ago
Your policies should be • admins can do anything • authenticated users can create, update, delete their own records • anyone(including authenticated/anonymous users can read records I know it sounds bad but there's a point where I just use the AI assistant to make the policies
Michael
Michael•3w ago
yeah anon is anonymous i.e unauthenticated it only goes into two categories, auth & unauth'd

Did you find this page helpful?