don't store user permissions in database
In recent video theo gave example against storing user permissions in database as done in firebase and supabase.
Can someone please provide me with some more resources so that I can read why that is a bad practice and what are better practices around it.
1 Reply
It's not so much storing the user's permissions in the database, it's more about giving users permission to query the database directly. Because if the user can access the database directly (as in, not using your HTTP handlers to auth, validate, do bot detection, etc) then you're relying on the "platform" for your access control
Giving a user "permissions": ["admin", "viewer"] or whatever is fine. It's about your code being responsible for that. With Supabase, you need to go to the dashboard and set up all of the row level security stuff. The idea is that there's one less network roundtrip if the user queries the database directly, and the argument against it is that maintainability and inspectability is limited to whatever the dashboard provides instead of, like, normal code review