i m adapting these policies from a postgraphile project and Supabase #sql

i'm adapting these policies from a postgraphile pr...

(d,f,g)=> 🥁

04/21/2022, 8:23 PM

i'm adapting these policies from a postgraphile project, and wondering if they make sense within postgrest:

Copy code

sql
create table comments (
  comment_id int primary key generated always as identity,
  user_id uuid references auth.users default auth.uid(),
  blog_slug text not null,
  parent_id int references comments,
  body text not null check(length(body) between 1 and 2000),
  created_at timestamptz not null default now()
);
create index on comments (blog_slug);
create index on comments (parent_id);
alter table comments enable row level security;
create policy select_all on comments for select using (true);
create policy insert_own on comments for insert with check (user_id = auth.uid());
create policy update_own on comments for update using (user_id = auth.uid());
create policy delete_own on comments for delete using (user_id = auth.uid());

this this is all typical stuff, but will these work as i expect?

Copy code

sql
grant select on comments to anon;
grant
  insert (blog_slug, body, post_id, parent_id),
  update (body),
  delete
on comments to authenticated;

Steve

05/02/2022, 5:33 PM

@(d,f,g)=> 🥁 Yes, policies should work fine

Steve

05/02/2022, 5:39 PM

Regarding regular table/column-level security(GRANTs), those might not work as you expect since Supabase alters the default privileges of the authenticated/anon roles. Here's how you can revoke them: https://github.com/supabase/supabase/discussions/1493#discussioncomment-724842

Previous Next