3

My configuration is very basic. A simple supabase database with one table.

I use supabase-py to interact with it. The problem is that I always get an empty list :

from supabase import create_client

URL = "MY_URL_HERE"
API_KEY = "MY_API_KEY_HERE"

supabase = create_client(URL, API_KEY)

response = supabase.table("prod_vxf").select("*").execute()

print(respnse.data)
# []

After checking some similar topics like this one, it seems that the only solution is by turning off RLS. So I went to the dashboard and turned off the RLS for the table prod_vxf and it worked. Now, the code above gives a non empty list :

print(response.data)
[
    {"id": 1, "created_at": "2024-01-01T00:00:00+00:00"},
    {"id": 2, "created_at": "2024-01-02T00:00:00+00:00"},
    {"id": 3, "created_at": "2024-01-03T00:00:00+00:00"},
]

But what is very confusing is the warning below that hits my screen when I try to turn off the RLS for a given table in supabase dashboard. Does it mean that anyone on the internet (even without knowing url + api key) can access (read and write) my database and its tables ? Honestly, I'm super confused by the term publicly used by the warning.

enter image description here

Improve this question
5
  • Read this Supabase RLS. Commented Sep 10, 2024 at 15:56
  • Sounds like RLS is not configured correctly ? Or if you need elevated permission maybe a service_role: supabase.com/docs/guides/api/api-keys Commented Sep 10, 2024 at 15:56
  • Thank you my friends for the help. @AdrianKlaver, the docs are very difficult for me to understand. With RLS turned off, my data is publicly available ? @_akuiper, i just want to be able to interact with the database to do CRUD at realtime me and my colleagues through a python application. Can you explain what I'm supposed to do please ? Commented Sep 10, 2024 at 15:58
  • You will need to read the docs. Security is a layered operation and you need to understand how Supabase implements it in order to make changes with out opening yourself to attack. This is going to depend on how you are allowing people to access your site, what information they can see and what roles/privileges you want to grant on what data. Commented Sep 10, 2024 at 18:45
  • Thank you again @AdrianKlaver but my question is very straighforward and simple. I feel like either no one has a clear answer or no one want to tell the truth. I just want to know if by turning off the RLS of a table in supabase, anyone in the internet can access it without knowing url and api key. Commented Sep 11, 2024 at 11:15

1 Answer 1

Reset to default
3
+150

Does it mean that anyone on the internet (even without knowing url + api key) can access (read and write) my database and its tables ?

It's publicly as in the database role PUBLIC:

The special “role” name PUBLIC can be used to grant a privilege to every role on the system.

That is every role inside that db, not the general, public internet public. It's not like that change suddenly peels away all security from your entire database cluster. The answer to your question is a hard no.

Everyone still needs to know the connection string to get in or the URL plus an API key to perform operations indirectly.
Anyone that does get in either way, still needs to do so as a user that has the privileges to access the table. Only then can they CRUD records in that table freely, but since RLS is a per-table setting, it only applies to that one single table. You can check others to confirm they are still protected.
The Auth policies they also mention won't work because they rely on RLS.

If it's just you and your friends working on the app, this doesn't matter much. If you plan to make the app available to a broader audience, make sure you read up on this and other security features and keep them in mind. Later on it might be pretty difficult and laborious to redesign everything if it's built as a ring-0-only, everyone-is-superuser creative mode playground.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thank you so much my friend but i'm still confused. It is a "yes" or "no" to my question ? We're only two (me and my friend) working on the app.
@VERBOSE No problem. I've edited the answer to include a clear 'no'. Changing RLS on any table does not allow any unauthorized users to get into your db and access that, or any other table. Only users that can already connect and log into it, will have more freedom working on that one table when you switch off RLS, as long as their role was granted access to it in the first place.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.