Supabase #sql

Join Discord

HorseShoe

08/25/2021, 5:24 PM

because seems like user is a string by default that contains admin / anon ig?

HorseShoe

08/25/2021, 5:24 PM

I cud just change the column name to user_id but i wanted to know how to do it anyway

HorseShoe

08/25/2021, 5:25 PM

like how we wud assign data in select

Copy code

select msg.name, usr.name as user from messages msg, users usr

user

08/25/2021, 6:30 PM

Thank you!

Peanut

08/26/2021, 4:04 AM

How do I use the result of a function inside a policy UPDATE? eg.

Copy code

CREATE FUNCTION auth.firebase_uid()
RETURNS TEXT
AS $$
    SELECT nullif(current_setting('request.jwt.claim.sub', true), '')::TEXT
$$ LANGUAGE sql;

CREATE FUNCTION getIsUserEditorOrAdmin(id TEXT)
RETURNS BOOLEAN
AS $$
    SELECT role = 'admin' OR role = 'editor' FROM userAdminMeta WHERE id = $1
$$ LANGUAGE sql;

CREATE POLICY "Users can update their own profile OR staff can update any profile."
    ON users
    FOR UPDATE USING (
        auth.firebase_uid()::TEXT = users.id OR
        getIsUserEditorOrAdmin(auth.firebase_uid()) = TRUE
    );

This doesn't seem to work: postgREST returns 404 getIsUserEditorOrAdmin returns "true" for my user ID (which I provide using a JWT token) If I update my OWN user it works perfect It looks like an issue with my getIsUserEditorOrAdmin() function. Have I defined it wrong? Do I need to change how it returns?

jason-lynx

08/26/2021, 8:13 AM

does it work if you add a

select

before it?

Copy code

CREATE POLICY "Users can update their own profile OR staff can update any profile."
    ON users
    FOR UPDATE USING (
        auth.firebase_uid()::TEXT = users.id OR
        (SELECT getIsUserEditorOrAdmin(auth.firebase_uid())) = TRUE
    );

jason-lynx

08/26/2021, 8:22 AM

> postgREST returns 404 what is the full error message?

jason-lynx

08/26/2021, 8:22 AM

and what did you run?

Peanut

08/26/2021, 8:42 AM

Nope tried this and still same error:

Copy code

CREATE POLICY "Users can update their own profile OR staff can update any profile."
    ON users
    FOR UPDATE USING (
         auth.firebase_uid()::TEXT = users.id OR
        (SELECT(getIsUserEditorOrAdmin(auth.firebase_uid())) = TRUE)
    );

Peanut

08/26/2021, 8:43 AM

I dont get any error message (no body). Just a 404 status code. When I disable the RLS or modify it remove the

getIsUderEditorAdmin()

call I get a 204 (success). So definitely the policy

Peanut

08/26/2021, 8:44 AM

The REST call is

PATCH {{serverurl}}/rest/v1/users?id=eq.abcdef

where the doc id is a real id

Peanut

08/26/2021, 8:44 AM

Is there a way to debug function calls or policies? This trial and error is hard

jason-lynx

08/26/2021, 9:07 AM

hmm cant really tell from that nor reproduce. one way i try to debug these things is to use the sql editor and impersonate users making requests:

Copy code

SET LOCAL request.jwt.claim.sub = <YOUR USER ID>;
SET LOCAL ROLE authenticated;

SELECT getIsUserEditorOrAdmin(auth.firebase_uid()) = TRUE

this should return true

jason-lynx

08/26/2021, 9:08 AM

(btw i normally use

IS TRUE

instead of

= TRUE

but it shouldnt make a diff in this case i think...)

Peanut

08/26/2021, 9:09 AM

Do I need to impersonate someone to set my role? I get a no permission error

Peanut

08/26/2021, 9:09 AM

(I am logged in as

postgres

using my own pg client)

jason-lynx

08/26/2021, 9:10 AM

oh right

postgres

doesnt have permission to do that

jason-lynx

08/26/2021, 9:10 AM

try it on supabase?

Peanut

08/26/2021, 9:13 AM

Is there a way to do this without using the web console?

jason-lynx

08/26/2021, 9:13 AM

i dont think so :/

Peanut

08/26/2021, 9:14 AM

Tried it in the web console and got

missing FROM-clause entry for table "users"

so progress!

Peanut

08/26/2021, 9:14 AM

Peanut

08/26/2021, 9:15 AM

Nvm it's cause

users

comes from the policy

jason-lynx

08/26/2021, 9:19 AM

oh right sorry let me edit what i pasted above

jason-lynx

08/26/2021, 9:19 AM

i removed the first section since u alr said that works

Peanut

08/26/2021, 9:20 AM

Copy code

SET LOCAL request.jwt.claim.sub = 'MY USER ID';
SET LOCAL ROLE authenticated;

SELECT getIsUserEditorOrAdmin(auth.firebase_uid()) = TRUE

> Success. No rows returned

Peanut

08/26/2021, 9:24 AM

So when I set my sub/role via web console I always get 0 results. Even if I do a simple "select all users" query. When I remove the sub/role it works and I get results. It could be another policy screwing it

Peanut

08/26/2021, 9:25 AM

The only other RLS policy I have is:

Copy code

CREATE POLICY "Everyone can read all users."
    ON users
    FOR SELECT USING (
        true
    );

jason-lynx

08/26/2021, 9:27 AM

oh i think the web console only returns results for the first sql command. ok then

Copy code

SET request.jwt.claim.sub = 'MY USER ID';
SET ROLE authenticated;

then remove that code, then run the remaining

SELECT getIsUserEditorOrAdmin(auth.firebase_uid()) = TRUE

btw later once you're done debugging all this, remember to set it back to what it was:

Copy code

SET request.jwt.claim.sub = '';
SET ROLE supabase_admin
;

Peanut

08/26/2021, 9:28 AM

That works - I get a different response now