Hacker News new | ask | show | jobs
by oliverrice 1550 days ago
If you're an existing supabase customer you don't need to change any of your existing permissions.

pg_graphql filters out any tables/columns that aren't accessible to the user making the request. It also respects your row level security policies.

If you can't see something in the introspection schema, you'll get a friendly error if you try to access it. pg_graphql does not used any privileged access so the queries are being executed in a context that is identical to supabase REST
1 comments
andrew_ 1550 days ago
that's great, but what if I want to add a role to my user to do something like send an email with an extended schema (when that lands). What if I'm not familiar with "row level permissions" and I have a SaSS app where different users can access different rows based on column content? Scenarios like those are where the docs fall short. PLEASE think like new users and not like seasoned engineers with prior experience with the feature set.
link
city41 1550 days ago
Supabase's row level security is just postgres row level security, it's not proprietary to Supabase. Postgres documentation, blog posts etc on RLS will apply to Supabase too.
link
andrew_ 1549 days ago
I get this, and I've been using postgres for a long time, so I should get this. My point is that the barrier for entry is very high. Most folks that have experience with GraphQL and not intimate knowledge of Postgres security/access are going to struggle with this. It's much different than say, Postgraphile or Asura - both of which have a much lower barrier for entry. Folks are naturally going to compare. I've been following their GraphQL extension since its development announcement and I think this will end up being the better GraphQL product in the long term. I want Supabase to be a world-class product because I'm a fan, and that means world-class documentation.
link
city41 1549 days ago
You're definitely not wrong. I think Supabase will get there ultimately. But being a startup and presumably a small team, I think it's ok for them to lean on "Supabase is basically postgres as a service so postgres docs can fill the void for now".

And just for the record I'm not affiliated with Supabase, I just use it on a side project and quite like it.

link