Supabase is an open source Firebase alternative. Start your project with a Postgres database, Authentication, instant APIs, Edge Functions, Realtime subscriptions, and Storage.

Supabase

Did you create your own policy from scratch or apply one of the templates?

I used the template but changed the column name to match mine

I wonder if its my actual function for deleting

ah, something could be happening in javascript and it's not hitting supabase?

it works with no security but maybe it isn't sending the right info to supabase

I'm using dart but its very similarly structured

`currentUser!.id` <--- is that dart syntax with the `!`?

its basically saying that currentUser will never be null

I know it isn't null because it works when RLS is disabled

I feel like maybe I'm missing a query that sends the id

if the only difference is enabling/disabling RLS then it appears to be the configuration somehow?

so its checking the row but it isnt verifying im signed in

and my policy seems to be correct so it must be the dart code

do you also need to send the id of the duplicate record?

in javascript I have to "await" any async calls to supabase do you have to do that in dart?

What I'm saying is that there is no await on the call to supabase.auth.user() like on the delete so the delete might run before supabase.auth.user() has finished?

so the tables called userworkouts_duplicate just because I don't want to delete my actual data when testing. In dart you can await async calls which I am doing. After final response it has the await tag and its an async function

dart is essentially just JS with a few differences

Guys can you make a thread here so it’s easier to follow this discussion?

I think maybe the issue is when I'm making the query it isn't sending the userid to check in the RLS. It's checking if userid is equal to the column in the table which explains why it works without RLS

but with RLS maybe the policy is correct but it's just recieving null so it doesn't work

since there is no await on the supabase.auth.user() call then the supabase client can't send the right userid because it doesn't have it?

found this code online which is essentially what I have

I might try adding await to that and see but because it works without RLS I dont think thats it

I’m not familiar with flutter but once you get your rls working you don’t need to send any parameters.  You can just do `.delete()` and it’ll only delete records that match the rls.

hmm thats really odd that it isn't working once it's enabled then

I think in flutter eq is checking the actual column value

I have 7 rows with that value and I only want to delete them

Rls policies effectively just get added to the `where` clause.

so you can do both (eq and RLS) if you want to be more specific than RLS alone?

Doesn’t hurt but doesn’t do anything.

without the eq how would it know which rows to delete?

eq is required I think unless thats just because I had the RLS disabled

Effectively PostgreSQL is running `where field = ‘x’ AND where field = ‘x’

I see what you are saying. EQ could be used to check some other column and then RLS would come behind and also check that userid matches (or whatever policy has been set). Does that sound right?

RLS policies automatically add the RLS expression to the WHERE clause of the statement being run.

Alright so I removed the eq and enabled RLS and it still has the same issue

but without the eq it wipes all user data in the table

RLS is just to check whether to allow that query to be run if RLS is truthy, the query is run RLS won't affect the query

do all the rows in the table match the policy you have defined?

this is my table. Not the best way of doing things probably

so its a one to many relationship I from the profile table I believe

like all the other policies work and they have the same check in them

Without RLS and with the eq do all the rows get deleted too?

no, only the 7 I want deleted that belong to the user

So the problem is that the delete query deleted rows where the RLS shud have failed?

Yes from my understanding. By removing the eq it is just told to delete all rows in that table

with RLS it did nothing without it deleted it all

No but then the RLS expression shudnt let it

So effectively your RLS is always returning FALSE

with RLS disabled I get an actual return of the data being deleted

RLS will return false because u have rows that don't pass the expression right? Try turning rls on and then use eq to make sure the row will be true in rls

Your table name is userworkouts_duplicate?

I'm running it on the duplicate so I don't delete my actual user data accidently

And you’re referencing that table from your client application?

I tested it on the duplicate without RLS and it works fine

Just making sure you’re not missing anything small

I dont think thats the issue because it works with update, insert and access

With RLS on and the policy and using eq it does nothing

When I use RLS it just stops working only for delete, everything else works

What operations have u selected in the RLS policy?

Try adding select operation to this policy and check with rls on and eq operator

https://stackoverflow.com/questions/39864202/postgresql-unable-to-update-row-with-row-level-security

Do you know who the owner of the table is?

Those two screen shots say `user_id` and `userid`

Can anyone help me with this policy?
```
CREATE POLICY "Only members of the parent conversation can see its private messages."
    ON privatemessages
    FOR SELECT USING (
        auth.uid() = ANY(
        array_agg
            (
                (SELECT members FROM conversations WHERE conversations.id = privatemessages.id)
            )
        )
    );
```
Error is `aggregate functions are not allowed in policy expressions`

I have to run now, but I would write a separate function for this then just call the function from inside my policy.