Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
auth.uid() check not working on insert when using another user's uuid
See original GitHub issueBug report
When adding a policy to check that authenticated user uuid is equal to a table uuid, it still accepts the insert if I use another user’s uuid.
To Reproduce
Steps to reproduce the behavior:
- Create a table Post (id, uuid)
- Create a policy:
create policy "users can insert only own posts" on public.posts for insert with check (auth.uid() = uuid); - execute the following on the client:
await supabase.from('posts').insert([ { uuid:<another user uid>, }, ])
Expected behavior
The post should not be created as auth.uid() != uuid But it does get created.
System information
- OS: Ubuntu
- Version of supabase-js: latest
- Version of Node.js: nextjs 10.3
Issue Analytics
- State:
- Created 3 years ago
- Comments:10 (4 by maintainers)
Top Results From Across the Web
Using another user identifier (UUID) than the user_id
I prefer not to use the user_id as this is affected by the Auth0 account and idP configuration. For instance, if we have...
Read more >Firebase SwiftUI and Firebase Auth - not reading user ID?
Below is the code for my signup page. I want to make it so that when someone creates an account on the sign...
Read more >We're changing the internal format of auth UIDs - Google Groups
If you are checking that the auth.uid matches another value stored in the data, this should continue to work perfectly. Existing users' UIDs...
Read more >Security Rules and Firebase Authentication
To build user-based and role-based access systems that keep your users' data safe, use Firebase Authentication with Firebase Security Rules.
Read more >ALTUSER (Alter user profile) - IBM
Use the ALTUSER command to change a user ID association; you must use the RACLINK ... security categories, RACF continues with other authorization...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
In case someone else stumbles upon this thread and has some issue as @pradeepknowstocode, the table you’re joining from (in this case
profile_role) must also be readable according to RLS rules. Took me a while to figure out I forgot to add read permissions for my users table 😃Nevermind, it works now. Thanks for the help.