How to enable RLS in Supabase PostgreSQL views
August 23, 2022
If you ever created a SQL view in Supabase you may assume that RLS policies are being used in the view, since a view is just a named query. Unfortunately, SQL views created from the Supabase admin do not use RLS policies by default.
Views created from the admin panel use the privileges of the view's owner. When create them from the Supabase dashboard, the owner of the view is the super admin user. This user can bypass any RLS rules like an elephant can demolish a bazar 🐘
Yes, that was a PostgreSQL joke. Leave me alone.
I hope you are a better programmer than a comedian
To solve this, we just need to run the below query to assign the view owner to the authenticating user.
alter view view_name owner to authenticated;
Credits to this GitHub discussion for giving me the solution.
A feature, not a bug
This can be really useful in some situations. Image we were building a CMS and we had a view named
published_articles. We know that all articles in this view are public, so there is not need to write complex security rules to hide draft articles from unauthenticated users. This approach allows us to keep using an internal
articles table with simpler RLS rules.
What a banger right!? Right?
Maybe I'll write one someday, and trust me, you'll want to know. Enter your email below to get notified when I publish a new article.
I promise a zero spam, only bangers policy.