← All posts

Supabase / Row Level Security with application user

In Postgres, tables can have Row Level Security^◹ that restrict the user’s action on each row.

With Supabase, we can create a policy that matched the current logged in user, this user is from the application level, not the database user:

create policy "Users can update their own profiles."
  on profiles for update using (
    auth.uid() = id
  );

The auth.uid() here is just a Postgres function provided by Supabase to extract the application’s current user. See its implementation here: supabase/auth-schema.sql#Line 77-78^◹.

What’s next?

• https://github.com/supabase/supabase/blob/3ec9c7c6499e4a61ca88ceb24aa4d81ee24c39ae/web/docs/guides/auth.mdx#how-it-works^◹
• https://github.com/supabase/supabase/blob/23cac64b0c40ab9421108eb830d1b7b35979bd32/web/docs/learn/auth-deep-dive/row-level-security.md^◹