How to enable RLS in Supabase PostgreSQL views
by Victor Navarro
August 23, 2022
If you ever created a SQL view in Supabase you may assume that RLS policies are being used in the view, since a view is just a named query. Unfortunately, SQL views created from the Supabase admin do not use RLS policies by default.
Views created from the admin panel use the privileges of the view's owner. When create them from the Supabase dashboard, the owner of the view is the super admin user. This user can bypass any RLS rules like an elephant can demolish a bazar 🐘
To solve this, we just need to run the below query to assign the view owner to the authenticating user.
alter view view_name owner to authenticated;
Credits to this GitHub discussion for giving me the solution.
A feature, not a bug
This can be really useful in some situations. Image we were building a CMS and we had a view named
published_articles. We know that all articles in this view are public, so there is not need to write complex security rules to hide draft articles from unauthenticated users. This approach allows us to keep using an internal
articles table with simpler RLS rules.