S
Supabase2mo ago
March

Cannot see the "new policy" button in the storage objects section

I am new to development so maybe its something stupid but please help me out with this I am not sure what I did wrong I was just following a tutorial.
No description
12 Replies
ihm40
ihm402mo ago
i don't think you should see that button "new policy" storage.buckets and storage.objects are tables under the storage schema and those tables are managed by supabase so the reccomendation is that you don't try alter them in general you should manage policies for those tables which are publicly exposed
March
MarchOP2mo ago
Thanks cool guy :sunglaso:
ihm40
ihm402mo ago
no worries!
Fieryduck82579
Fieryduck825792mo ago
I am developing locally, and as you can see, the "New policy" button is displayed. I am on the latest version of supabase-cli@2.39.2. I had to set up storage.objects policy to allow users to upload to their directory using presigned URL. 
CREATE POLICY "customer can upload to personal folder"
ON storage.objects FOR INSERT TO 'authenticated'
WITH CHECK(
    bucket_id = 'customer'
    AND (storage.foldername(name))[1] = auth.uid()::TEXT
);
CREATE POLICY "customer can upload to personal folder"
ON storage.objects FOR INSERT TO 'authenticated'
WITH CHECK(
    bucket_id = 'customer'
    AND (storage.foldername(name))[1] = auth.uid()::TEXT
);
From what I've gauged, all bucket-specific policies are basically storage.objects policies with the bucket_id set to the whatever the name of your bucket is. Thus, policies applied to the storage.objects could be used as a "catch-all" policies. Example: 
CREATE POLICY "All can retrieve bucket metadata"
ON storage.bucket FOR SELECT
TO authenticated
USING(TRUE);
CREATE POLICY "All can retrieve bucket metadata"
ON storage.bucket FOR SELECT
TO authenticated
USING(TRUE);
Notice that the bucket_id is omitted (the column is nullable, see image). 
await supabase.storage.getBucket('customer')
await supabase.storage.getBucket('customer')
This would return the bucket metadata about any bucket.
No description
No description
ihm40
ihm402mo ago
if you want to see that on the dashboard i think you would have to write an SQL query to do that. It may just be the dashboard that it doesn't allow setting policies via the UI 
Schemas managed by Supabase
The following schemas are managed by Supabase and are currently protected from write access through the dashboard.

auth
cron
extensions
information_schema
net
pgsodium
pgsodium_masks
pgbouncer
pgtle
realtime
storage
supabase_functions
supabase_migrations
vault
graphql
graphql_public
pgmq_public
These schemas are critical to the functionality of your Supabase project and hence we highly recommend not altering them.

You can, however, still interact with those schemas through the SQL Editor although we advise you only do so if you know what you are doing.
Schemas managed by Supabase
The following schemas are managed by Supabase and are currently protected from write access through the dashboard.

auth
cron
extensions
information_schema
net
pgsodium
pgsodium_masks
pgbouncer
pgtle
realtime
storage
supabase_functions
supabase_migrations
vault
graphql
graphql_public
pgmq_public
These schemas are critical to the functionality of your Supabase project and hence we highly recommend not altering them.

You can, however, still interact with those schemas through the SQL Editor although we advise you only do so if you know what you are doing.
The supabase warning^
garyaustin
garyaustin2mo ago
This could be a bug/regression in the UI. I don't find a PR saying they want to remove the new policy option. And there were a few storage PR's the past 2 weeks.
Fieryduck82579
Fieryduck825792mo ago
I suspect this is a bug too. I cannot recreate the issue in Brave (on Linux).
Fieryduck82579
Fieryduck825792mo ago
From what I've understood, this refers to altering the protected schema through the Table Editor. It doesn't apply to elsewhere where the dashboard allows you to interact. For example, the docs for storage require that you apply RLS policies on the protected storage schema (see https://supabase.com/docs/guides/storage/security/access-control).
No description
garyaustin
garyaustin2mo ago
Yes. You can/must add RLS policies to storage.objects and storage.buckets to access those from the API users authenticated or anon. The storage UI used to do that for the top policy section as well as the bottom two.
Fieryduck82579
Fieryduck825792mo ago
Thanks for confirming. That’s exactly the assumption I’ve been working with, so good to know I’m on the right track.
garyaustin
garyaustin2mo ago
I flagged this to Supabase with the PR that broke it. There is a PR underway to fix it. https://github.com/supabase/supabase/pull/38499 The SQL editor is the solution in the meantime.
GitHub
Fix adding bucket policy to schema by SaxonF · Pull Request #38499...
Removes check for bucket to add new policy to storage.objects or storage.buckets schema
March
MarchOP2mo ago
:supafire:

Did you find this page helpful?