The innovation in managed devops is pretty incredible! Had a question for the Supabase team regarding authorization and PostgREST.
Let's say I have Customer 1 who owns Document 2, 3. Document will have a foreign key pointing to Customer. How do I ensure that Customer 1 can't access Document 1?
That can be solved with RLS. The JWT usually contains the application user id(Customer) and assuming Document has an ownerId column, the SELECT policy for Document would contain the `ownerId = auth.uid()`[1] condition — this would ensure customers can't access documents that they don't own.
Let's say I have Customer 1 who owns Document 2, 3. Document will have a foreign key pointing to Customer. How do I ensure that Customer 1 can't access Document 1?