I have a table at Supabase: “private_user,” which contains very sensitive user data and is naturally protected by Row Level Security (RLS). This works perfectly when the respective user is logged in and thus can access only their data through a SELECT RLS (user_id = auth.uid()). However, I’ve noticed that when the user is not logged in, Weweb fetches all the data from the table and completely bypasses the RLS of Supabase. What am I doing wrong?
In the screenshot, I’ve simply set the RLS to “false.” Even then, Weweb retrieves the data.
I am using the Supabase plugin from Weweb with the public key. There aren’t many options in the plugin to determine if it acts as a superuser. I have also set the policy to authenticated, but the data is still being fetched. In my example, no user was logged in again. And it also fetches the data in the published app, so anyone can access very sensitive data. I also looked again at @Joyce instructions (setting up Supabase) and am of the opinion that I have not left out any setting that would lead to such a security gap. So I was a little surprised that other people seem to be in a similar situation.
actually that’s pretty odd. it should only grab data in the context of the authenticated user.
I know that RLS will be bypassed by default when creating table views but that’s not what it looks like you’re doing here. when making views you need to use the security_invoker.
can you see what user is logged in when this is happening? you should be able to then compare the uuid against the user in your auth.users table and check the role of that user
