With Row Level Security (RLS), how would I define that you can only insert content if you have the role level of 42 for example? I have a user table in my public schema and I have the user id + the role level. would it work it I did something like auth.id() = user.id AND user.role = 42? Do I have to 'import the tables' or are all tables accessible from security policy?

Hello @joshcowan25! This thread has been automatically created from your message in #843999948717555735 a few seconds ago. We have already mentioned the @User so that they can see your message and help you as soon as possible! Want to unsubscribe from this thread? Right-click the thread in Discord (or use the ``...`` menu) and select "Leave Thread" to unsubscribe from future updates. Want to change the title? Use the ``/title`` command! We have solved your problem? Click the button below to archive it.

You can access other tables. The policy is like an extra where clause returning true or false. Just be careful of getting too complex as they can run on every row of a table.

joshcowan25 (2022-05-20)

I don't get why It doesn't work: EXISTS (SELECT 1 FROM users WHERE auth.uid() = users.id AND users.role = 42);. Any clue?

Is the role also in the same table you are protecting?

No, I'm trying to secure storage bucket

Try putting schemas in front of users for public or auth. Is role an int and not an array?

I just tried that, but still not working. Role is a int2

Is there RLS on the users table? You are testing with a Select on storage it looks like.

Euhm, no I don't have RLS enable for now on users

Does it work with just uid or role part separately?

No difference 😦

OK just use auth.role()='authenticated' alone as the policy. Then if that does not work, auth.role() = 'anon'

Authenticated didn't work, but anon did...

So you don't have a user signed in or its jwt token being set when you make the storage call.

Just console.log my session.user and I'm authenticated. What do you mean by "jwt token being set when you make the storage call" ?

You need to check the user right before your storage call. Client code normally sets the jwt and keeps it refreshed. If you were calling from serverside code you have to set up the token.

Aaaaah! I just tried to console.log(supabase.auth.session) and it returns null when I call my serverside function. How do I set token with supabase.js?

Serverside stuff is something I don't use. It will vary also depending on your framework. There are some tutorials, There is this effort for a few frameworks: https://github.com/supabase-community/supabase-auth-helpers , or search here or github. You could also ask a question with your framework and what you have tried, or are stuck on. In general you have to pass session, cookies or the jwt to your serverside code and then use https://supabase.com/docs/reference/javascript/auth-setauth , but that probably simplifies it a bit.

Alright! Thanks a lot for you wonderful help! Thank you so much!

Thread was archived by @joshcowan25. Anyone can send a message to unarchive it.