is it possible to insert rows only via a function but not vi Supabase #off-topic

is it possible to insert rows only via a function ...

gleki

01/08/2022, 10:20 AM

is it possible to insert rows only via a function but not via direct "insert into" calls? in other words can i restrict policy for direct inserts but enable permissible policy for a function that would ultimately do the insert?

fhr

01/08/2022, 10:30 AM

while creating a function, you can use the keywords

SECURITY DEFINER

. then, while executing the function, the inserts will be sent with the same permissions as the postgres user, therefore skipping the rls

fhr

01/08/2022, 10:30 AM

https://supabase.com/docs/guides/auth/row-level-security#policies-with-security-definer-functions

gleki

01/08/2022, 10:32 AM

doesnt "security definer" run the function with the permissions of the owner (who created the function)?

gleki

01/08/2022, 10:35 AM

And I think my question is somewhat different. I want for every limited user (not of a superuser role) to disable direct inserts onto tables but enable them form within certain functions (such functions would firest do some validation of the incoming arguments)

fhr

01/08/2022, 10:53 AM

yeah, exactly, the function would run as the owner (postgres) inside of the security definer function you can do all sorts of authorization / validation checks to only insert under certain conditions.

gleki

01/08/2022, 2:12 PM

So it's some kind of advanced replacement of ordinary security policy? I mean I would disallow insert into tables for all users but introduce this security definer function with manual checks for permissions inside it. Right?

Previous Next