S
Supabase4w ago
Deammer

RLS for bucket joined with table data

Hello 👋🏻 I'm unable to figure out the correct syntax for a row-level security policy on my storage bucket. I have a table named entities that has columns for user_id, slug, and name. I also have a bucket where I want to store an image for each entity. I want the image to be stored at the path /:slug/images, so for example my entity with slug my-thing would have an image at the path /my-thing/images/image.png. When a user attempt to upload an image to their folder, I want to check that they have access to that folder by checking the user_id and slug in my entities table. Here's what my policy query looks like: 
BEGIN;
  ALTER POLICY "Give users access to their own folders"
  ON "storage"."objects"
  WITH CHECK (
    ((bucket_id = 'my-bucket'::text)
    AND (
      (SELECT auth.uid() AS uid)
      IN (SELECT entities.user_id FROM entities WHERE ((entities.slug)::text = (storage.foldername(name))[1])))
    )
  );
COMMIT;
BEGIN;
  ALTER POLICY "Give users access to their own folders"
  ON "storage"."objects"
  WITH CHECK (
    ((bucket_id = 'my-bucket'::text)
    AND (
      (SELECT auth.uid() AS uid)
      IN (SELECT entities.user_id FROM entities WHERE ((entities.slug)::text = (storage.foldername(name))[1])))
    )
  );
COMMIT;
Every time I save this policy, Supabase replaces storage.foldername(name) with storage.foldername(entities.name) which will never work. Can anybody please help me figure out what I'm doing wrong?
2 Replies
garyaustin
garyaustin4w ago
try putting objects.name instead of name. Because you have two columns both named... name it is picking the table in the query which there is entitites.
Deammer
DeammerOP4w ago
That did the trick, thank you so much!

Did you find this page helpful?