https://supabase.com/ logo
Join Discord
Powered by
Hi everyone, I posted this thread https://discord....
# help
j
Hi everyone, I posted this thread https://discord.com/channels/839993398554656828/982328388897366066 on #869405720934744086 but I guess it makes more sense to ask for help here, I'm having issues with my db's roles after using prisma
n
Hello @Jenaro Calvino! This thread has been automatically created from your message in #843999948717555735 a few seconds ago. We have already mentioned the @User so that they can see your message and help you as soon as possible! Want to unsubscribe from this thread? Right-click the thread in Discord (or use the ``...`` menu) and select "Leave Thread" to unsubscribe from future updates. Want to change the title? Use the ``/title`` command! We have solved your problem? Click the button below to archive it.
🆕 Prisma and Postgres usersroles
o
Ah ups, i forgot you moved the discussion here 😅 anyway, let's continue the discussion in the previous thread :p
j
Hey Olyno, I'm sorry I don't mean to bother but do you have any idea as to how I could solve this?
o
Hey Sorry for being inactive about your issue. Honestly, i don't know how to solve it. I thought it could be because of the selfhost version, but you didn't know what it was. I guess the best way would be to wait that the issue you found is closed. We can also ask help to @garyaustin on this issue, he's probably a better magician than me about postgres stuff 😅
j
Thanks anyways!
o
Just to be sure, did you run any migrations from Prisma before interacting with the database?
g
My guess is that in trying to follow that issue you "wiped" out some critical grants/permissions on the schema or tables. Frankly it could be a mess trying to fix them without fully understanding the grant/permission requirements. It might be as simple as running this:
Copy code
grant usage                     on schema public to postgres, anon, authenticated, service_role;
alter default privileges in schema public grant all on tables to postgres, anon, authenticated, service_role;
alter default privileges in schema public grant all on functions to postgres, anon, authenticated, service_role;
alter default privileges in schema public grant all on sequences to postgres, anon, authenticated, service_role;
from that issue... https://github.com/supabase/supabase/blob/d1d6278913f5a752253a3d47a0d4adabd3bfaf7a/docker/volumes/db/init/00-initial-schema.sql#L37-L43 For the client to work anon, authenticated, service role need access to all public tables. But you may be better off just starting over as you may have long term issues if you can't patch them all back up.
o
Do you think it can be caused by a Prisma? I experienced some issues with Prisma migrations and Supabase
g
Prisma is does mess with things, but I've not heard of anyone losing access from the client. It seems like in this case more might have been done to the privledges/grants by the user following that issue. So now two possible changes have occurred.
j
According to the issue, prisma does reset some permissions when migrating and all
Before running the commands on the issue, I did not have access to the schema, so even less access
g
Prisma is mystical to me based on the issues I've seen people having with permissions and migrations. You might ask in that github issue also.
j
By "starting over" you mean a new supabase project entirely?
g
Yes, but you could end up right back with the same Prisma issue that you started with.
j
exactly
It just seems that even after successfully running the commands to add privileges to anon, the tables already created are not affected
I still only see the "postgres" grantee
g
Did you run the commands I just listed up above.
j
yes
g
Do you have a db tool to look at the tables?
Copy code
grant delete, insert, references, select, trigger, truncate, update on messages to anon;

grant delete, insert, references, select, trigger, truncate, update on messages to authenticated;

grant delete, insert, references, select, trigger, truncate, update on messages to service_role;
Are the grants on my public tables.
j
You mean like Beekeeper studio?
I've been running this
Copy code
select *
from information_schema.table_privileges
where table_name = 'User'
g
Yes, I see in your other thread, and I have the same results as my working table. And that you seem to have the privileges assigned. So another thing to deal with when using Prisma is it uses capital letters. Postgres always defaults everything to lowercase unless in the SQL you do "Testing" with doublequotes. In your query that is failing from the client is your table capitalized? The client should handle that, but you have to have the capital letter.
j
Yes, my query:
Copy code
let { data, error, status } = await supabase
         .from("User")
         .select(`*`)
         .eq("id", user.id)
         .single();
It seems that even after running those grant statements, it doesn't grant access to those tables
https://stackoverflow.com/questions/67551593/supabase-client-permission-denied-for-schema-public This is what I followed to get access to the schema, but didn't work for tables
g
Do you have RLS on?
It looks like your User table does have grants on, at least it matches my table when I used the sql to query the grants. I think if there is a row in that table it has a grant.
j
It does have RLS on
g
Turn it off for a second
j
Ok
Done
g
Does it work now?
j
No, I get the same error message
Copy code
Object {
  "code": "42501",
  "details": null,
  "hint": null,
  "message": "permission denied for table User",
}
g
So your User table has the same result from the select * from information_schema.table_privileges where table_name = 'User' As the one you showed for Testing?
j
No, the User table shows only 'postgres'
Since these tables where created by prisma, could it be that Supabase does anything special when creating tables from the UI that where overlooked here?
g
Part of the original file with all the grants, sets up the schema to grant all the privileges to any new table created later.
j
g
If Prisma created the table and did not assign grants they have to be assigned.
That issue is similar in that the grants did not get assigned.
j
I'm creating a new table and then checking the Grants
When creating this new table, I see all the grantee there, unlike the tables created by Prisma, is there maybe a manual way to add these grantee for each table?
g
I thought this: alter default privileges in schema public grant all on tables to postgres, anon, authenticated, service_role; Would do that.
j
It seems it doesn't 😢 the privileges on prisma created tables seem to stay the same
g
Maybe this: GRANT ALL PRIVILEGES ON "TABLE" TO postgres,anon,authenticated,service_role
Where "TABLE" is your name.
j
That seems to have worked!
It worked! Thanks, so, I wonder, with these new privileges does it mean that someone with the "anon" role can edit my table?
g
That is where RLS comes in
Or you can revoke the grants for anon and just add select.
j
Thanks, really, confusing long thread but thank you! 🙏🏼
g
I always dread answering a Prisma question.... glad we made progress.
PreviousNext
Powered by