Hacker News new | ask | show | jobs
by mfalcao 1130 days ago
RLS is great, but it's not that hard to shoot yourself in the foot or miss stuff. E.g.:

  ALTER TABLE bookmarks ENABLE ROW LEVEL SECURITY;
  CREATE POLICY bookmarks_owner ON bookmarks USING (owner_id = auth.uid());
  CREATE VIEW recent_bookmarks AS SELECT * FROM bookmarks ORDER BY created_at DESC LIMIT 5;
The above may look fine at first glance, but recent_bookmarks actually bypasses RLS.
1 comments
steve-chavez 1130 days ago
For that there's security invoker now:

  CREATE VIEW recent_bookmarks WITH (security_invoker=true) AS 
  SELECT * FROM bookmarks ORDER BY created_at DESC LIMIT 5;
Point taken though, it's not the default behavior.
link
mfalcao 1130 days ago
Indeed - one of the great changes in v15. (for any folks on previous versions, you need to change the view owner to a non-superuser role without the bypassrls attribute).

Thanks for all your work on PostgREST, Steve! Do you think we'll see relational inserts in the near future, or is that still a bit down the road?

link