Restrict columns with RLS

Hi,

Normally I use CLS to restrict columns for the entire authenticated role. However in this case I only want to restrict a column in certain situations, I am however unable to select the old row in RLS like I can with triggers. What is the correct way to do this with RLS, and are the selected columns like title and profile_id the resulting row or just the changes, because if its just the changes I can check if its null instead.

It seems to be the latter in my instance, so just making sure if thats the way to go

create policy "users can update own questions or admins/teachers" on api.chapter_questions for update to authenticated using (
    profile_id = (select api.get_profile_id()) or
    ((select private.get_my_roles()) && array ['teacher', 'school_admin', 'org_admin'] and
     exists (select 1 from api.chapters as c where c.id = chapter_questions.chapter_id))) with check (
    profile_id = (select api.get_profile_id()) -- owners can change anything
        or ((select private.get_my_roles()) && array ['teacher', 'school_admin', 'org_admin'] and
            exists (select 1 from api.chapters as c where c.id = chapter_questions.chapter_id)
        -- Only allow changes to best_answer_id or deleted_at
        and title = old.title and content = old.content));

create policy "users can update own questions or admins/teachers" on api.chapter_questions for update to authenticated using (
    profile_id = (select api.get_profile_id()) or
    ((select private.get_my_roles()) && array ['teacher', 'school_admin', 'org_admin'] and
     exists (select 1 from api.chapters as c where c.id = chapter_questions.chapter_id))) with check (
    profile_id = (select api.get_profile_id()) -- owners can change anything
        or ((select private.get_my_roles()) && array ['teacher', 'school_admin', 'org_admin'] and
            exists (select 1 from api.chapters as c where c.id = chapter_questions.chapter_id)
        -- Only allow changes to best_answer_id or deleted_at
        and title = old.title and content = old.content));

create policy "users can update own questions or admins/teachers" on api.chapter_questions for update to authenticated using (
    profile_id = (select api.get_profile_id()) or
    ((select private.get_my_roles()) && array ['teacher', 'school_admin', 'org_admin'] and
     exists (select 1 from api.chapters as c where c.id = chapter_questions.chapter_id))) with check (
    profile_id = (select api.get_profile_id()) -- owners can change anything
        or ((select private.get_my_roles()) && array ['teacher', 'school_admin', 'org_admin'] and
            exists (select 1 from api.chapters as c where c.id = chapter_questions.chapter_id)
        -- Only allow changes to best_answer_id or deleted_at
        and title = old.title and content = old.content));

create policy "users can update own questions or admins/teachers" on api.chapter_questions for update to authenticated using (
    profile_id = (select api.get_profile_id()) or
    ((select private.get_my_roles()) && array ['teacher', 'school_admin', 'org_admin'] and
     exists (select 1 from api.chapters as c where c.id = chapter_questions.chapter_id))) with check (
    profile_id = (select api.get_profile_id()) -- owners can change anything
        or ((select private.get_my_roles()) && array ['teacher', 'school_admin', 'org_admin'] and
            exists (select 1 from api.chapters as c where c.id = chapter_questions.chapter_id)
        -- Only allow changes to best_answer_id or deleted_at
        and title = old.title and content = old.content));

Restrict columns with RLS

Similar Threads

Similar Threads

Similar Threads