7

I'm trying to insert a row in my table which has RLS enabled and the Enable insert for authenticated users only policy added. Unfortunately, I cannot insert even though I'm correctly login.

Steps to reproduce:

  1. Create submissions table
create table submission ( stuff text );
  1. Enable RLS
alter table submissions enable row level security
  1. Add Policy
CREATE POLICY "Enable insert for authenticated users only" ON public.submissions FOR INSERT WITH CHECK (auth.role() = 'authenticated');

  1. On client, I log in using magic links (the object is correctly added in localstorage so I know I'm log in)

  2. I try to insert

const { data, error } = await supabase .from("submissions") .insert({ stuff: 'hello' });

The Authorization Bearer <Jwt> is present in http call.

  1. But I got error
{ "hint":null, "message":"new row violates row-level security policy for table \"submissions\"", "code":"42501", "details":null }

What am I doing wrong here?

Improve this question

2 Answers 2

Reset to default
13

I found what was wrong.

The thing is, the default behaviour of supabase.insert returns the row we just inserted, in other words it selects it (reads it) from the table. As I didn't added a Policy to read the table, it failed.

So two solutions:

  1. Add a new Policy to be able to SELECT from that table
  2. Add { returning: "minimal" } to the supabase.insert so it does not send the row back
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Not sure if anything has changed with supabase API since this answer, but it lead me to my solution anyway. I didn't have to add { returning: 'minimal' } as I assume that is not on the API anymore, but I did have to remove the .select().single() that I had originally chained onto the end of the .insert() call (.insert().select().single()`
2

Yep -- I ran into the same thing the first time I tried to add a RLS policy that only allowed INSERT and not SELECT (for letting users log info to a table.)

We've discussed making { returning: "minimal" } the default for insert, update, and delete, but I don't think that will happen.

It's just something to be aware of (and it is in the documentation, but easy to miss.)

Improve this answer

4 Comments

Thanks @Mark! Maybe if you could check other issue of mine as well, that would be fantastic: github.com/supabase/supabase/discussions/3524 :)
Done! And I'm happy to help.
Awesome! Thanks @Mark, that will be helpful. If you'll have some spare time, I would be happy to jump on a quick call (google meet or something, it should last 20min or so :)) with you to talk about the (definitly improvable) design structure I've set up for my voting system. If you do have some spare time, let me know and I'll send you an email :) Many thanks!
The best thing to do is to join our Discord channel and hit me up (or one of the other developers). You can reach me there as @burggraf.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.