Setting Up Row Level Security

Project Source Code

Get the project source code below, and follow along with the lesson material.

Download Project Source Code

To set up the project on your local machine, please follow the directions provided in the README.md file. If you run into any issues with running the project source code, then feel free to reach out to the author in the course's Discord channel.

Table of Contents

This lesson preview is part of the Real-Time Collaborative Apps with Next.js and Supabase course and can be unlocked immediately with a \newline Pro subscription or a single-time purchase. Already have access to this course? Log in here.

This video is available to students only
Unlock This Course

Get unlimited access to Real-Time Collaborative Apps with Next.js and Supabase, plus 70+ \newline books, guides and courses with the \newline Pro subscription.

Thumbnail for the \newline course Real-Time Collaborative Apps with Next.js and Supabase

  • [00:00 - 00:20] When you go into these tables that we just created, you can see on both of these tables, you can see there is a warning about enable roleable security. So RLS or roleable security is a feature in SQL that you can restrict access to a specific roles of a table based on the user role or permission.

    [00:21 - 00:38] So we can create a policy that restricts access to specific people. So for example, let's say you have two storyboards and you shared with another user called, I don't know, [email protected] and you can restrict this directly from the database you can filter out.

    [00:39 - 00:45] You can show only these roles to this person, [email protected], just directly from the database. So it is very cool.

    [00:46 - 00:54] So let's start creating these policies. So I will start with the Story table and you can just click Enable, roleable security here.

    [00:55 - 01:11] You can also create enable RLS, confirm and here you can start creating some policies. And here you can also start with the quick, there is some templates, but I'm going to create from scratch.

    [01:12 - 01:22] So here in the policies, you can any name to it. I would call it Stories and I will select all here and target roles.

    [01:23 - 01:26] Yeah, I will keep it like this. And then here is the good part.

    [01:27 - 01:34] So you have to write expression. So if user is authenticated, then I wanted to show all the stories to this user .

    [01:35 - 02:04] So what I'm going to do is you have to create something like this because I'm going to create two conditions after this, there will be another condition called all because I also want to give access to if someone with the email that we have in the shared user event, a role. So here what I'm going to do is I'm going to access to out table schema and then you can check user ID, UID.

    [02:05 - 02:22] And we can say if out the UID, the ID of the user is user ID, that use ID is we just created. So this will let users, authenticated users see their storage.

    [02:23 - 02:31] So that means you won't see a storyboard of different users. So only you will see your own story.

    [02:32 - 02:36] So you don't have to do any complex logic in your code. You can do it directly here.

    [02:37 - 02:46] So the second part is if out of email, so we can get the email of the authenticated user. And this is like if you already shared with someone.

    [02:47 - 02:53] So it's equal to shared user email. So this is a role that we have.

    [02:54 - 02:59] Yeah, that's it with this. You will let only the specific user get their data.

    [03:00 - 03:05] So you don't share with the different users some unnecessary data. So let's review it and save the policy.

    [03:06 - 03:11] Yes, great. We go to the table again.

    [03:12 - 03:16] There is like a one active RLS enabled. So that's that's great.

    [03:17 - 03:28] And we need to do the same for the other one sharing. So enable role, security, enable RLS confirm.

    [03:29 - 03:33] This one I'm going to do something simple. You can give any name.

    [03:34 - 03:36] Just make it like true. Anyone can access it.

    [03:37 - 03:42] Yeah, that's basically it with RLS. Now both of the warning should be gone.

    [03:43 - 03:50] And yes, we have set up the database tables. And next step is to connect our next day's app.

    [03:51 - 03:56] It's already connected to super base. So we just need to access to this data and create some data from our next day's app.