I’m a bit confused here with Supabase row level security policies (RLS) and how Weweb is passing the auth data. Most of the RLS i’ve seen suggest to use auth.uid() = user_id
but I get an error Error: new row violates row-level security policy for table "XXXXXXX"
I can only grant Weweb access by using user_id = user_id
as it looks like user_id
is what’s being passed in the payload to Supabase. Can anyone more experienced shed some light? I can’t find a good way to query or debug auth.uid(). Thanks.
Are you logged in on WeWeb and do you have all set up properly? Do you have the user_id in the table that you’re hitting?
What you’re doing with this policy is actually saying, if the user_id sent by the logged in user who is calling this query matches the user_id on the records stored in this table, then it is okay.
I’d need to see your table setup and your query in WeWeb to tell you more. Also make sure you have RLS set up for the action you’re doing, in your case you’re doing INSERT I guess, so you need to have RLS for INSERT, also I think there is a tricky RLS somewhere, where you need to have INSERT and ALSO update to do certain tasks, but I’m not sure which one it is now.
Would really help to see your setup
@Broberto yeah, logged into WeWeb as a user and all set up properly with the user_id in the table I’m hitting. Yeah I believe if you have RLS for INSERT, you also need the same policy for SELECT.
Here’s the relevant field from my table which contains user_id which is a foreign key to auth.users.id
Here’s the payload which contains the user_id.
My insert action where I’m inserting the Supabase Auth - [‘user’].id into user_id
My understanding was that auth.uid() = user_id would grab the Supabase Auth - [‘user’].id and only allow that user to select, insert, update etc rows for their own user_id. Not sure where’ I’m going wrong here.
Yes, I just answered it in an another topic, with the current Supabase Plugin for WeWeb version, you need to have the same SELECT RLS as well.
Check this out
If you want to do that only auth.uid() = user_id then yeah, you gotta do it for the both though. Or do Select for all auth users. So you’re right, but you need to just add select either true for authenticated users too, or do the same policy for the select.
I definitely don’t want users to be able to see all rows - just the rows that belong to their user_id. I just updated all my RLS to be “(auth.uid() = user_id)” and it seems to be working now. It’s possible that I was missing a RLS UPDATE policy on a different table that watches my first table for an update. Can’t really confirm, but in any event, I seem to have this working now lol Thank you!
It seems like in the other thread, we found that you can’t do INSERT without having a SELECT too, if it was the update policy, then nice, glad you solved the issue)