Hey, I wanted to check about Column Level Security...
# ideas-and-suggestionsi
Illia
11/04/2021, 9:46 AMHey, I wanted to check about Column Level Security - maybe you have some thoughts: in Firebase it's not possible to restrict what fields to return in a document unless you build a cloud function or something like that. What about Supabase? RLS looks great but the same issue I guess - how to restrict what columns can be returned? Only by building middleware or there are some other ways?
c
chipilov
11/04/2021, 10:02 AMAFAIK, there are 2 standard ways to achieve this:
1) Hide your table in a non-public schema (i.e. a schema which is NOT exposed to the world via PostgREST) and then expose it to the world via a view in the public schema, where the view only exposes the relevant fields
2) Use PostgreSQL privilege system to revoke SELECT/UPDATE permission on certain columns of the table
Both approaches are described in more details here: https://www.enterprisedb.com/postgres-tutorials/how-implement-column-and-row-level-security-postgresql
There is also a relevant discussion on Supabase's repo about this: https://github.com/supabase/supabase/discussions/3158
i
Illia
11/04/2021, 10:59 AMwow thanks @User! So if I understood it correctly in suggestion 1 - it will be limited to all users as the view will be public - what if more granular permissions are required (multi-role - where each role has access to a different set of columns?). In this light with suggestion 2 in Supabase we have only a 2 roles - anon and authenticated so we can't really extend beyond that. Or am I missing something?
Illia
11/04/2021, 11:01 AMchanging data modeling to move the data to another table as suggested in the GitHub discussion makes sense but I guess not that flexible
Illia
11/04/2021, 11:05 AMmaybe creating function will help in this? I'm assuming that it can return table + limit the data inside
Illia
11/04/2021, 11:41 AMI think that function approach worked well - thanks!
Illia
11/04/2021, 11:42 AMmaybe view based could also work - but we'll have to add some custom check logic that uses current user id to return empty data if access is not allowed
c
chipilov
11/04/2021, 1:57 PMIndeed, a scenario where you have different user roles that need access to different columns is a bit more complicated, but it seems that you already discovered the 2 other approaches which can help with that - functions and views with an additional clause which serves as a RLS in order to return empty data for users that are NOT supposed to use that particular view (similar to what is suggested here: https://stackoverflow.com/a/64283814/2606261)
chipilov
11/04/2021, 1:59 PMThe thing about functions is that it kind of starts to look like middleware and if you find yourself having to create many of those, maybe it's time to just create that middleware in a language that is more natural for the developers in your org (if that is actually SQL, then I guess PostgreSQL functions are actually the right choice)
chipilov
11/04/2021, 2:00 PMIt's definitely a judgement call and not something that I have very good rule of thumb about when to make the switch
chipilov
11/04/2021, 2:00 PMOther than that, whenever you use such functions or views as a security feature, make sure that:
chipilov
11/04/2021, 2:02 PM- the functions are defined security invoker rather than security definer
- the views are defined by a role which does NOT bypass RLS
- the views are marked with the security_barrier attribute (I am not 100% clear on how this last one works, so I would suggest to read up on it if you are not familiar with it: https://www.postgresql.org/docs/13/rules-privileges.html)
chipilov
11/04/2021, 2:07 PMOne last note I'd like to make - there is a feature request for Supabase to expose the pre_request hook from PostgREST. Currently, it's not possible but if I understand this the feature correctly, if it were available you might be able to do some additional security decision in this hook before you even get to the view/table/function (take this with a grain of salt, though, since I am not very familiar with PostgREST)