I created a view on my RLS secured table.

sql
CREATE VIEW public.public_trainings AS
SELECT
  id,
  published_at,
  required_read_permission
FROM public.trainings;

I was surprised that anon, and authenticated could do INSERT 😱😱😱 operations on the base table through this view. so I ended up doing

sql
REVOKE ALL ON public.public_trainings FROM anon, authenticated;
GRANT SELECT ON public.public_trainings TO anon, authenticated;

Is this enough to only allow select operations on the view? Are there any other roles jwt users could assume?

With Postgres15 you can now enforce RLS on views. Your question really belongs in #1006358244786196510 though if you want followup.

Thanks for the quick reply. I do understand that I can do RLS on views, but I essentially wanted to return "public" data for an underlying table. What made my jaw drop, was this blog post: https://supabase.com/blog/postgresql-views Like it says that you can use views for security, but fails to mention, that if you don't REVOKE permissions on the view, ANYONE can edit, insert, update the underlying data!

I hosted Supabase using the docker image, but I cant find the functions options, Is it not available ?

See the bottom of this https://supabase.com/docs/guides/resources/supabase-cli/local-development Please do any follow up in #1006358244786196510

I wonder if there is an easier way to guide people to

help

, because it seems a significant amount of people ask their questions here

We have been discussing it, open to suggestions. We don't want to go back to the "wild wild west" though we had with all questions/help issues in a thread like this because it becomes impossible to know what has answers further down, etc. Discord seems to be investing time into developing the new forum style channel. Hopefully they add some sort of built in solved "button" as that would really help clean that up more.

Completely understandable! I don't have any suggest currently other than maybe renaing chit-chat to offtopic

Hello everyone, first time in this Discord. If I'm having trouble getting a really basic RLS policy set up, is the best place for that in #1006358244786196510 ? Or is there a better channel for that?

that'd still be #1006358244786196510 !

just checking, thanks!

no worries, I think a lot of people have initial hurdles setting up RLS 😛

Is it not a security concern that a user's password can be updated without verifying the current password of the logged-in user? https://supabase.com/docs/reference/javascript/auth-updateuser

Hi, I'm trying to query a table for all entries that were created_at a specific day, but I can't figure out how to do this. My current guess is

client.from('table').select('*').eq('created_at::date','YYYY-MM-DD');

where YYYY-MM-DD is a string. This, however, doesn't work. (Flutter/Dart)

Another idea

client.from('table').select('*').eq('created_at::year','YYYY').eq('created_at::month','MM').eq('created_at::day','DD');

yields no result..

Ah! Found it:

client.from('table').select('*').gte('created_at','today()');

gives the wanted result.

moved to #1006358244786196510

Hello friends!

I want to create a remix run project and use supabase as a back end

Do you think that I should also add a back-end framework in the stack like nest.js ?

Or the combination of remix + supabase is enough ?

Is it possible to upload an image to a storage and later display it without a user or using RLS? The image would be uploaded over an API-Route in NextJS. Could it work with a private key in my .env-file?

i learn supabase with a twitter clone and an edit button 😄 but i am damn slow since i worked with vue 2(pure js ) now switched to vue3(ts) XD

would it be redundant to use supabase and django?

Hello loving supabase so far, excited to collaborate here

I just had a random question, not an issue with Supabase and it's not really something I need "help" with. I'm debating, should it be here or #1006358244786196510? I'm down with either.

I just had a random question not an

To a certain extent, but there are probably some things a backend is easier with

What is

!hint

and

!inner

? I can't find docs for it anywhere

Super random question, what's your go-to dark mode color code? I've been using #121212