Hello, I am building a webapps where I have both a public (non authentificated frontend) and a (secured backend). I am using Supabase with RLS activated and configured.
The question is:
On the public front end, I have a form where I fetch collection (from Supabase) ex: Service Table to show service option in an a selector inputs fields. RLS is activated on that table to let public user read only.
In that same Supabase Service table I have information sensitive that I do not want to show to the public user (ex : the cost, supplier name, etc.)
In the WeWeb, Supabase Plugin, I have configured the collection to fetch only the fields of service id, and service name. Is it the correct way of doing that to protect the other sensitive information from the table to be accessed by anyone?
Should I create a public_service_view with only the desired public information or use Supabase Column Level Security?
Also if I apply a filter on a collection (ex : to show only active service) to public user, is it secured or is there anyway some could alterate the request to Supabase to get acces to more information than what was filtered in the collection ?
Thanks for your help,