Reputation: 497
Using Materialized Views for RLS in Supabase: Best Practices and UI Limitations
Body
Hello everyone,
I'm working on a project where I need to calculate the final cost (gasto) for each expense by applying various taxes. I also need to implement Row-Level Security (RLS) to restrict data access based on the user ID.
Context:
- I have a table called
gastosthat stores individual expenses. - I have another table called
taxesValuesthat stores different types of taxes. - A third table,
gastosAppliedTaxes, establishes a many-to-many relationship betweengastosandtaxesValues, indicating which taxes are applied to each expense. - I initially used a view called
final_gastosto calculate the final cost (gasto) for each expense after applying the taxes. The view essentially joinsgastos,taxesValues, andgastosAppliedTaxesto perform this calculation.
Why Materialized View?
I opted for a materialized view for two main reasons:
Performance: Materialized views store the result of the query, making data retrieval faster, especially when dealing with complex joins and calculations.
Row-Level Security (RLS): Unlike regular views, materialized views in PostgreSQL allow for the application of RLS policies. This is crucial for my application as I need to restrict data based on the user ID.
Questions:
Materialized Views for RLS:
Given the above, I switched from using a view to a materialized view calledfinal_gastosso that I can apply RLS. Is this a good approach? Are there any downsides or better alternatives?Supabase UI Limitations:
I noticed that the Supabase UI doesn't show policies for materialized views and lacks a UI for setting policies like it does for normal tables. Is this a limitation of Supabase, or am I missing something?
Any insights or recommendations would be greatly appreciated.
Thank you!
Upvotes: 1
Views: 1613
Answers (2)
Reputation: 515
RLS
BEGIN;
CREATE POLICY "all" ON "public"."table_a" USING ( user_id= auth.uid() );
COMMIT;
Materialized Views
- hypothesis that: m_view_1 has column user_id of table_a with foreign key
Mix view (repeat join table_a)
create or replace view
view_1 with(security_invoker= true) as
select m_view_1.* from m_view_1 join table_a on m_view_1.user_id= table_a.user_id;
Conclusion
- Well the problem is we can m_view_1 query the entire record with supabase.
- Let's block requests to /rest/v1/m_view_1 or even /rest/v1/m_view_* with nginx or kong. https://www.nodejsauto.com/2025/01/using-materialized-views-for-rls-in.html
Upvotes: 0
Reputation: 18680
RLS policies are set on tables and not views. When you have a view, the RLS of underlying tables are respected if the view is a security invoker. I believe in Postgres, materialized views do not support RLS at the moment.
You can create a security invoker view like this:
CREATE VIEW .. WITH (security_invoker=on)
Upvotes: 2
Related Questions
- Supabase: Solutions for column-level security
- How can i use hCaptcha verification to protect a table in supabase?
- Supabase - RLS on a logical view?
- How to trigger insertion of row into child table from parent table with RLS enabled?
- RLS with Security Definer function returns error with no message, and no error in logs in Supabase / Postgresql