Issue with Private Access - Role-Based Redirection Not Working as Expected

Hi everyone,

I’m trying to use the private access feature, but I’m running into an issue.
The redirection is working as it should, but it seems that even when a user has the required role, they still can’t access the page.

In the image, you can see 3 roles created in Supabase (see image below):

01597×241 9.61 KB

And I’ve created 2 access groups based on these roles (see image below as well):

02587×222 14.8 KB

Even though my user clearly shows as having these two roles in Supabase (see image):

03464×638 17.1 KB

When the logged-in user tries to navigate to the page, they are redirected as if they don’t have the roles.

It was configured like this (access denied):

04450×119 5.03 KB

When I changed it back to this configuration, it worked normally (access granted):

Captura de tela 03.06.2025 às 21.55.53 PM451×114 3.74 KB

What could be the issue?

I saw another post mentioning it could be related to the WeWeb plan. My WeWeb plan is the “Essencial” plan. However, if this feature isn’t included in my plan, why would it be available for me to configure?

Thanks

Hi Dereck, welcome to our community

Roles only work when your app is published, so you are going to need to preview this feature while the app is published.

I also created a tutorial for this:

Hope this helps!

Hi Agustin,

Thanks for your reply and the tutorial.

I need to clarify: the issue I’m facing is with the published app, not the editor. In the published app, users are redirected even when logged in and possessing the correct Supabase roles.

My Supabase roles are correctly configured and visible in WeWeb’s Supabase plugin (see new image below):

02452×289 10.8 KB

The core problem: WeWeb’s page access rules in the published app don’t seem to recognize these Supabase roles. Users get redirected as if they lack the roles, though the roles are visible on the user object in WeWeb (as shown in the user-detail image from my first forum post).

If I remove these specific role/group restrictions from the page, leaving only “authenticated user,” access works correctly in the published app.

Thanks

I remember having a similar issue.
First thing is we need to determine if our roles are actually being captured by our auth plugin:

Screenshot 2025-06-04 at 11.13.50277×920 41.1 KB

On the user variable (that comes with the auth plugin) you can see the entire object of the logged in user, and here you can check if it’s actually receiving the roles.

If not, you need to change your RLS in supabase to make sure an authenticated user is able to read from those tables (userRoles and Roles)

That worked! The RLS for the roles tables was the issue. Thanks for the clear steps!

i’m having the same problem but the roles are present in the user object in production. The strange thing is that it works in the Editor! What permissions are different?
RLS are the ones set by weweb when i activated the roles via the Editor UI. Also i tried disabling the RLS for roles and users_roles tables and nothing changed.

image741×770 41.3 KB

the redirect to the default page (provider-signin) for a user without the credentials always happen, even if this is set:

image824×334 23.8 KB

the only way to prevent the redirection is to remove the editors group (that contains the provider role). But this is not what i need.
Also, i’m quite sure this worked until some days ago and now it stopped working.

Any known update on the weweb side that could have broken it?

thank you for the support

ok, nevermind, i find out that the roles in a group are in an AND condition, not in a OR

image841×502 53.1 KB

Hi Federico,

You need to set up your RLS in your Supabase tables directly.
RLS : Row Level Security
You need to tell supabase who you want to give access to: Reading, Writing, Deleting etc
And you need to do that for all tables (each one will have its own rules)
In order to use roles inside WeWeb you will need to set up those RLS rules for 2 tables:
“Roles” and “UserRoles”

You can learn more about it here: