Supabase is an open source Firebase alternative. Start your project with a Postgres database, Authentication, instant APIs, Edge Functions, Realtime subscriptions, and Storage.

Supabase

Hi! I'm learning my way through setting up RLS and wondering: what's the best way to handle deep object hierarchies?

We have a "document" that is a 4-levels deep object hierarchy and we want to restrict updates on all entities of a document to the contributors of that document. We have a `contributors` table that maps `user_id` to `document_id`

Two solutions I have so far:
1. Define policies that perform joins to find the `document_id` and check that the user is a contributor of the document. At the deepest level, this is a join across 5 tables (4 levels + contributors table) within RLS policies.
2. Keep a `document_id` column for entities at each level of the hierarchy, since that value will never change after creation anyways. Breaks normalization, but RLS policies become very simple & efficient.

So far, I'm leaning towards 2. but would love input from people with more experience!

I would go with 2 also, but only if you are sure that `document_id` will never change after creation, if it does otherwise you might have some maintenance burden.

Yes it's 100% certain - but you got me thinking it may be good practice to create policies that ensure this column is never updated