Guest users not able to place an order from the website. Also, signed in user
1. I have check out as a guest option where any customer can place an order without sign in. I'm facing below error for the same.Supabase error, it would be greate if anyone helps as my system is currently in prod.
Fetch error from https://wnocqkyhnsckgpyzmgsj.supabase.co/rest/v1/orders?columns=%22user_id%22%2C%22cart_items%22%2C%22subtotal%22%2C%22delivery_fee%22%2C%22hst%22%2C%22total%22%2C%22delivery_info%22%2C%22payment_info%22%2C%22status%22&select=*: {
"code": "42501",
"details": null,
"hint": null,
"message": "new row violates row-level security policy for table "orders""
}
39 Replies
Your RLS error is pretty clear. You don't meet RLS for, I assume an insert, on the table order.
What is your insert policy (also your select policy) if you are using select on the insert?
How are you managing users that are not logged in?
I am new to supabase earlier using shopify store and I don't have mandatory login for the guest users but they need to enter phone number or email for delivering the food.
This does not seem very secure. Anyone could provide anyone's phone number even not using your app. But maybe you check later for a credit card so it is safe in the end...
Your policy seems to be both email and phone are required if user_id is null, but you said or in your text above.
If you used .insert().select() you also have to meet the select policy.
so what should be the correct policy here?
Are you wanting email or phone not null? If so change your AND to an OR. Probably need to surround the two with parenthesis also.
You also did not answer on select.
phone number
Can I create 2 policies one for authenticated users and one for guest users for inserting. Also, select and insert for authenticated
You can create separate policies they will be OR'd.
You still have not answered on your select policy and if you are doing insert().select() in your code. If you are then you have to allow even non logged in users to access the table which will be a problem. You would likely need to remove the .select() part.
yes
I will remove it but what should be the policy query?
You had a policy that was close I think. You just needed to change AND to OR between email and phone. Then wrap in a parenthesis.
(((user_id IS NOT NULL) AND (auth.uid() = user_id)) OR ((user_id IS NULL) AND (guest_email IS NOT NULL)) OR (guest_phone IS NOT NULL))
is it correct
I'm still facing the error below Fetch error from https://wnocqkyhnsckgpyzmgsj.supabase.co/rest/v1/orders?columns=%22user_id%22%2C%22cart_items%22%2C%22subtotal%22%2C%22delivery_fee%22%2C%22hst%22%2C%22total%22%2C%22delivery_info%22%2C%22payment_info%22%2C%22status%22%2C%22guest_email%22%2C%22guest_phone%22&select=*: {
"code": "42501",
"details": null,
"hint": null,
"message": "new row violates row-level security policy for table "orders""
}
(((user_id IS NOT NULL) AND (auth.uid() = user_id)) OR ((user_id IS NULL) AND ((guest_email IS NOT NULL)) OR (guest_phone IS NOT NULL)))
I would add a set of parathesis around the last pair of conditions in the OR.
Do you do .select() on the insert()?whatever is good for food website
I'm new to this policies
And I can only try and help you fix the a bug.... NOT tell you how to design your website security.
sure 100%, I will add insert for now
The policy I showed (I THINK as I have no way to test) should allow an authenticated user to insert and if user_id is not provided allow access if email or phone is set.
I'm still getting the same error with this policy
Show your insert code.
And you did not change the parenthesis like I showed.
I updated the one you pinged (((user_id IS NOT NULL) AND (auth.uid() = user_id)) OR (((user_id IS NULL) AND (guest_email IS NOT NULL)) OR (guest_phone IS NOT NULL)))
This is what I showed:
(((user_id IS NOT NULL) AND (auth.uid() = user_id)) OR ((user_id IS NULL) AND ((guest_email IS NOT NULL)) OR (guest_phone IS NOT NULL)))
That is not what you are showing.
Looks like what I provided still does not have the ()'s set right, sigh.
(((user_id IS NOT NULL) AND (auth.uid() = user_id)) OR
((user_id IS NULL) AND ((guest_email IS NOT NULL) OR (guest_phone IS NOT NULL))))
And it could also be you still doing a .select() as you have not shown your call.
Or it could be you are not passing in the correct insert with no user_id and a phone or email address.Can I use this and test (((user_id IS NOT NULL) AND (auth.uid() = user_id)) OR
((user_id IS NULL) AND ((guest_email IS NOT NULL) OR (guest_phone IS NOT NULL))))
still not working
Supabase error
Fetch error from https://wnocqkyhnsckgpyzmgsj.supabase.co/rest/v1/orders?columns=%22user_id%22%2C%22cart_items%22%2C%22subtotal%22%2C%22delivery_fee%22%2C%22hst%22%2C%22total%22%2C%22delivery_info%22%2C%22payment_info%22%2C%22status%22%2C%22guest_email%22%2C%22guest_phone%22&select=*: {
"code": "42501",
"details": null,
"hint": null,
"message": "new row violates row-level security policy for table "orders""
}
Supabase error
Order placement error: {
"code": "42501",
"details": null,
"hint": null,
"message": "new row violates row-level security policy for table "orders""
}
You have a select on the end still?
this is my another select policy
Show your insert call.
That only allows authenticated users to read.
The problem if you change it to allow all to read is then all entries in your table can be seen. So you need to remove the .select() from the end of the insert call you are making in your code.
If you have .insert().select() in your client code then both the insert and the select policy have to be met. You won't meet your select policy right now as it is for authenticated users.
Show your insert call in your client code.
I don't see an insert or any operation to the orders table in that code.
I have this file only for authentication
on the front end
Can you show me in there the orders table being used?
I don't see any request to that.
So some other piece of code is making the request.
I see orders file here import React from 'react';
import { Helmet } from 'react-helmet';
import { Card, CardContent, CardHeader, CardTitle } from "@/components/ui/card";
import { useToast } from "@/components/ui/use-toast";
const AdminOrders = () => {
const { toast } = useToast();
const comingSoonToast = () => {
toast({
title: "🚧 Feature In Progress",
description: "This page is currently under construction. Full functionality is coming soon!",
});
};
comingSoonToast(); return ( <div> <Helmet> <title>Admin: Orders - BhagiBhavan</title> </Helmet> <h1 className="text-3xl font-bold text-gray-800 dark:text-white mb-6">Orders</h1> <Card> <CardHeader> <CardTitle>Order Management</CardTitle> </CardHeader> <CardContent> <p className='text-muted-foreground'>This section will display all customer orders, including paid, pending, and abandoned checkouts. You'll be able to filter and manage them from here. Coming soon!</p> </CardContent> </Card> </div> ); }; export default AdminOrders; // This is the line that tries to create the order in your database const { data: savedOrder, error } = await supabase .from('orders') .insert([orderData]) // <-- The error happens here .select() .single();
comingSoonToast(); return ( <div> <Helmet> <title>Admin: Orders - BhagiBhavan</title> </Helmet> <h1 className="text-3xl font-bold text-gray-800 dark:text-white mb-6">Orders</h1> <Card> <CardHeader> <CardTitle>Order Management</CardTitle> </CardHeader> <CardContent> <p className='text-muted-foreground'>This section will display all customer orders, including paid, pending, and abandoned checkouts. You'll be able to filter and manage them from here. Coming soon!</p> </CardContent> </Card> </div> ); }; export default AdminOrders; // This is the line that tries to create the order in your database const { data: savedOrder, error } = await supabase .from('orders') .insert([orderData]) // <-- The error happens here .select() .single();
You have to remove that part.
But then if the code after depends on some value being returned in savedOrder that will fail and you need to come up with a way to read your orders table to get the data (like maybe an order id the insert automatically creates?).
so what should I remove?
select? or insert?
You have to remove the select and single.
BUT like I said your code after may need that value and then you and your AI will need to solve that with maybe an RPC call to get the value you need by email/phone.
BUT you can't make your select policy work for non signed in users without letting users see all rows in your table which I assume would be very bad.
I commented select and got the below error after trying to place an order TypeError: Failed to fetch
at window.fetch (https://7baff14c-1c3c-4ad4-b38f-79cf737d341a.dev38.app-preview.com/:245:23)
at https://7baff14c-1c3c-4ad4-b38f-79cf737d341a.dev38.app-preview.com/node_modules/.vite/deps/@supabase_supabase-js.js?v=8e84a05f:4271:23
at https://7baff14c-1c3c-4ad4-b38f-79cf737d341a.dev38.app-preview.com/node_modules/.vite/deps/@supabase_supabase-js.js?v=8e84a05f:4292:12
at Generator.next (<anonymous>)
at fulfilled (https://7baff14c-1c3c-4ad4-b38f-79cf737d341a.dev38.app-preview.com/node_modules/.vite/deps/@supabase_supabase-js.js?v=8e84a05f:4244:24)
Supabase error
Fetch error from https://wnocqkyhnsckgpyzmgsj.supabase.co/functions/v1/send-order-confirmation: {
"error": "Cannot read properties of null (reading 'cart_items')"
}
No idea.
But like I said if you were expecting some info back from the insert then it will not be there now. If you called send-order-confirmation with something from savedOrder that would likely fail.
ok
thank you very much for your help so far, I really appreciate it
this fixed the issue
now don't see any error