Reputation: 1627
Supabase / PostgREST: Deny select multiple
I am bulding a supabase app. Instead of a login every user gets a uuid (or multiple, if he wants to). Everyone that knows the uuid has full acces to the data behind this uuid.
So basically the database is open to anyone, as long as you use any valid uuid to write/read your stuff.
Now the problem: I don't want users being able to select all entries in the table. I want to enforce that every query has a condition where id = xxx. Of course I could do this in my app, but it is not enough, since we should never trust a client... I need to enforce this in the backend (i.e. in postgrest/supabase).
In firestore the read permission is broken down in get and list, so I can just allow get and disallow list and I am good to go. Is there something similar in postgrest/supabase?
Upvotes: 0
Views: 806
Answers (1)
Reputation: 1176
I want to enforce that every query has a condition where id = xxx.
This is exactly what a PostgreSQL RLS policy would do.
You have some examples on the supabase docs:
https://supabase.io/docs/guides/auth#policy-examples
Upvotes: 1
Related Questions
- Postgresql: remove ability to query every row in a table
- Filter query by current user
- Handling access privilege in liquibase with postgres
- How can I implement this functionality with Supabase?
- Postgresql CREATE GRANT - Limit Access to other Databases on Server?
- PostgreSQL: Grant CRUD operations only in one database
- Deny EXECUTE function but allow select from tables
- Postgresql access restrictions on field/table for select
- Superuser Role Specific to certain Databases in PostgreSQL
- How to restrict access to schemas?