How to enable RLS in Supabase PostgreSQL views

by Victor Navarro

August 23, 2022

When using Supabase, you can protect your tables using PostgreSQL Row Level Security (RLS). On SQL land is pretty common to write SQL views to make data querying easier and faster.

If you ever created a SQL view in Supabase you may assume that RLS policies are being used in the view, since a view is just a named query. Unfortunately, SQL views created from the Supabase admin do not use RLS policies by default.

The solution

Views created from the admin panel use the privileges of the view's owner. When create them from the Supabase dashboard, the owner of the view is the super admin user. This user can bypass any RLS rules like an elephant can demolish a bazar 🐘

Yes, that was a PostgreSQL joke. Leave me alone.

I hope you are a better programmer than a comedian

To solve this, we just need to run the below query to assign the view owner to the authenticating user.

1
alter view view_name owner to authenticated;

Credits to this GitHub discussion for giving me the solution.

A feature, not a bug

This can be really useful in some situations. Image we were building a CMS and we had a view named published_articles. We know that all articles in this view are public, so there is not need to write complex security rules to hide draft articles from unauthenticated users. This approach allows us to keep using an internal articles table with simpler RLS rules.