[wasd]

The innovation in managed devops is pretty incredible! Had a question for the Supabase team regarding authorization and PostgREST.

Let's say I have Customer 1 who owns Document 2, 3. Document will have a foreign key pointing to Customer. How do I ensure that Customer 1 can't access Document 1?

[steve-chavez]

That can be solved with RLS. The JWT usually contains the application user id(Customer) and assuming Document has an ownerId column, the SELECT policy for Document would contain the `ownerId = auth.uid()`[1] condition — this would ensure customers can't access documents that they don't own.

This looks more fit to be discussed in https://github.com/supabase/supabase/discussions. I'd recommend opening a discussion there.

[1]: `auth.uid()` is just a wrapper over the `current_setting('request.jwt.claims', true)` mentioned in https://postgrest.org/en/stable/api.html#accessing-request-h...