Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

How much should one trust RLS? Reading PostgREST, it looks like you could use a JWT parameter to enforce a policy - whether individual user or group based.

I really love the idea of RLS, but wonder at it's provable security properties.



RLS is rock solid. That's what Supabase leverages to create access policies and more. They have a very good example of how it works and how powerful it is in their docs: https://supabase.com/docs/guides/database/postgres/row-level...


Last I looked (several versions ago) RLS for `UPDATE`s was not great. Checking now... I see the same problem remains for `UPDATE`s, that you can't see old and new values for the affected row in the policy code. The workaround, when you need to see the old and new values, is to use a `TRIGGER`.


Not an expert but my impression is that RLS is not only rock solid, but extremely more testable since you can construct sql queries that test virtually any access scenario


You don't have to use RLS. You can do permissioning in VIEWs and TRIGGERs.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: