Hey guys, I've got a question: I've got a table in the public schema with RLS enabled and I'd like for

SELECT

,

INSERT

and

UPDATE

to be publically accessible with the Anon key, but only if the user knows either the

deviceId

or

userId

. I can't use

auth().id

because I want the API to be accessible even for users that have not yet registered. I just want people to prevent from querying the entire DB. How would I implement this using a policy?

There's no way to prevent someone from querying the entire table without RLS in place. I would do the following: - Create RLS policies for (

insert

,

update

,

delete

and

select

) with the policy value simply set to

false

. This will prevent all operations against the table for anyone except admin or secret key, or postgres functions - Create some postgres functions which accept

userId

and

deviceId

parameters which will perform the query. If you specify

SECURITY DEFINER

for the function when creating it, it will be able to bypass RLS. Then, you would call those functions with

.rpc()

@User thanks for the guidance, I'll look into it!

Another option is to pass your deviceId as a header (set when you init Supabase) and then use RLS to check that. See the marked as answer here: https://github.com/supabase/supabase/discussions/4755