I'm wondering, what's the preferred way to disable anonymous access to the database? I'm considering two options: 1. Revoke access to anon from authenticator. - This seems the most "global" solution, but will it cause any problems? 2. Revoke access to all my objects from anon - tedious and too easy to forget something What is the best practice to disable unauthenticated access?

Hello @torkleyy! This thread has been automatically created from your message in #843999948717555735 a ``few seconds ago``. Pinging @User so that they see this as well! Want to unsubscribe from this thread? Right-click the thread in Discord (or use the ... menu) and select Leave Thread to unsubscribe from future updates. Want to change the title? Use the

/title

command! We have solved your problem? Click the button below to archive it.

Hi The best way to limit, or disable anonymous access would be to setup policies (RLS) @torkleyy

torkleyy (2022-04-29)

Hi @Olyno! So you recommend enabling row level security even if the rule is independent of the rows? Why is that preferable to denying access to the table completely? Also, the same problem occurs with rpcs, so I would have to check

auth.role()

in every single function, right? Thank you.

If i understood correctly, you're trying to restrict access to only logged people. In that case, i don't see the point to specify rows access. You can restrict your tables by using the ``auth.role()`` as you suggested as:

postgres
CREATE POLICY "policy_name"
ON public.matches
FOR INSERT WITH CHECK (
  auth.role() = 'authenticated'
);

I'm not sure what you mean with ``so I would have to check auth.role() in every single function, right?`` 😅

If you create a function in the public scheme of the database (stored procedure), postgrest will expose it under the rpc endpoint. So I also have to make sure to check the role in every function. It just seems it would be safer to have a global setting to disable unauthenticated access 😄