Supabase - Weweb Security Question

pravictor · December 8, 2024, 6:13am

Hello,

I have a quick question for anyone familiar - when I use Weweb with Supabase and setup collections, do my users have any way of knowing the Postgres table schemas used in the collection?

Broberto · December 8, 2024, 7:31am

Yes, that’s why you should secure it with RLS

pravictor · December 8, 2024, 11:44am

Got it. So I have a situation where I have RLS configured and setup on a table (both read and write perms) however there are 2-3 columns where I want read-only access for the user. I think there are 2 ways to handle this

Use Column Level Security on Supabase and revoke write access to those columns.
Create a new table and migrate the columns to that and set appropriate RLS policies (read-only)

Is there any correct design pattern to handle this situation?

I would prefer to do 1 because it requires no migration work, any gotchas to be aware of?

Broberto · December 8, 2024, 11:55am

Column level security I tend to avoid it feels like an incomplete workaround, last time I checked it was in Beta testing or sonething like that. I’d just split it.

MathiasS-B · December 8, 2024, 10:05pm

There is a Alternative to the Column level Security.

In your RLS for your WRITE
make a Assert that the NEW.collumn value = OLD.Collumn value.

This forces the RLS security on update to be only Readable

You can do this with both Security policies and with “simple” check statements.

Broberto · December 9, 2024, 6:02am

Have you done this? Last time I tried to do something like this I found it was not a thing. You don’t get old. Only new?

One other workaround I found is creating a trigger before insert, there you have the old and new values. But that also feels bad.

Found a nice question about this in stackoverflow.

carrano_dot_dev · December 10, 2024, 10:08pm

Assuming the rls is in place to keep users from editing other users data… Perhaps revoke all write access to the table and then create a postgres function with a security definer (so that it can still write to the table) with an if statement that checks that the auth.uid() equals the user_id field of the row they want to write to.

MathiasS-B · December 12, 2024, 2:40pm

Yeah i made it like This:

CREATE OR REPLACE FUNCTION public.validate_TaBLE_update()
RETURNS trigger
LANGUAGE plpgsql
AS $$
BEGIN
IF NEW.all_info_submitted <> OLD.all_info_submitted THEN
IF is_global_admin() = false THEN
RAISE EXCEPTION ‘Updating “all_info_submitted” is not allowed’;
END IF;
END IF;

RETURN NEW;
END;
$$;

CREATE TRIGGER before_TaBLE_update
BEFORE INSERT OR UPDATE
ON TaBLE
FOR EACH ROW
WHEN (row_security_active(‘TaBLE’))
EXECUTE FUNCTION validate_TaBLE_update();

This makes it so that only the GlobalAdmins can edit this Column

Topic		Replies	Views
Problem with creation policy in Supabase Ask us anything authentication , supabase	5	151	June 6, 2024
Supabase Security when fetching Collection Ask us anything security , supabase	1	220	January 22, 2024
Weweb "ignore" Row Level Security How do I? authentication , supabase	4	269	December 23, 2023
Help with Supabase RLS policies How do I? supabase	27	1766	November 29, 2023
[Supabase] Role Based Access in two steps Share your work supabase	3	329	November 25, 2024

Supabase - Weweb Security Question

Related topics