I know that RLS doesn t apply to views So right now I got a Supabase #help

I know that RLS doesn't apply to views. So right n...

enti

04/06/2022, 3:48 PM

I know that RLS doesn't apply to views. So right now, I got a view readable to everyone (actually, the user who created the view applies). I also built a function using that view, a function that I use in my front-end. What I want is to disable this view API so the function still works (for all, even for anon), but the view isn't open to everyone. What would be the best way to do that ?

Needle

04/06/2022, 3:48 PM

Hello @enti! This thread has been automatically created from your message in #843999948717555735 a ``few seconds ago``. Pinging @User so that they see this as well! Want to unsubscribe from this thread? Right-click the thread in Discord (or use the ... menu) and select Leave Thread to unsubscribe from future updates. Want to change the title? Use the

/title

command! We have solved your problem? Click the button below to archive it.

Scott P

04/06/2022, 4:10 PM

When you create your view, you can perform filtering on it. For example, if everything is contained in a subquery called

root

and you had a column called

user_id

passed out of that subquery, then

WHERE root.user_id = auth.uid()

would mean that only the view would only show rows where that

user_id

is present. The downside of this is that it's not possible to view all data in the view via an SQL tool. You should be able to add an additional check such as

current_user = "postgres"

(or whichever user you're viewing the database as) which would resolve that limitation.

Needle

04/06/2022, 4:10 PM

enti (2022-04-06)

Scott P

04/06/2022, 4:11 PM

You wouldn't need to use a function to view data in your view this way, and would be able to query it directly as though it's a table. If I've misunderstood what you're trying to do, my apologies.

enti

04/06/2022, 4:23 PM

I actually need a function for some specific business issues that can't be handled with Auth. So yeah, I want the function to be readable by all, but the view the function is using not to be readable through an API call

DanMossa

04/06/2022, 7:37 PM

Oh that's interesting. @Scott P so basically the view has RLS built in by just adding where?

Scott P

04/06/2022, 7:43 PM

Yeah. Since views are literally just select queries at the fundamental level, building in the RLS via

WHERE

seems like the easiest solution to implement

Steve

04/07/2022, 2:45 PM

RLS works with views, see a recent discussion on reddit: https://www.reddit.com/r/Supabase/comments/txq9o9/rls_views_and_functions/

DanMossa

04/07/2022, 3:04 PM

You can also use RLS with views natively in postgres 15

Steve

04/07/2022, 3:46 PM

Yes, waiting for that improvement. More details here: https://www.depesz.com/2022/03/22/waiting-for-postgresql-15-add-support-for-security-invoker-views/

Previous Next