Row RLS: What am I doing wrong here?
Hello folks.
I have enabled RLS on my products table. The Products table has a column titled "serveruid".
I have another table titled userservers which contains user_ids along with the serveruids they belong to.
I am trying to configure my RLS to allow users who belong to the server to view the products table, but with no luck.
What am I doing wrong here?
10 Replies
Do you meet select RLS on userservers?
Oh wow, good call
No, I do not
How do I enable RLS on userservers for the supabase backend?
For cases like this, for instance
I don't know what you mean. You add RLS so the user has access just like every other table.
Another option is to move all that code to a security definer function then it won't care about RLS on the subtable. It would likely be much faster also.
Like with products, we are referencing another table - userservers. The Supabase policy also needs access to userservers
The user has to have access.
There is no special case for a sub table not needing RLS.
Got it, how would I implemet it using this? Wouldn't each table's policy be different?
Yes.
But the user has to be able to read the row in the userservers table. So probably user_id = auth.uid() on that table.
https://supabase.com/docs/guides/database/postgres/row-level-security#use-security-definer-functions
I would consider though the security definer function approach.
Got it, I will work that in now.
how does a security definer work ?
Thank you, I will have a look
Going to try to have it work with RLS then have a look at the security definer function
If it is a large table (or will be) you will want to do that for performance.
The RLS worked, thank you so much! I am going to read into security definer functions now