RLS策略基于另一张表格

huangapple go评论66阅读模式
英文:

RLS Policy for a table based on another table

问题

根据我学到的知识,设置 RLS 应该很容易。但不知何故,我无法使其工作。请为我解惑。谢谢。

对于表 student,我的策略如下:

CREATE POLICY "crud" ON "public"."student"
AS PERMISSIVE FOR ALL
TO public
USING ((id IN (SELECT sb.student_id FROM student_branch sb WHERE (sb.branch_id = (SELECT a.branch_id FROM admin a WHERE (a.id = '62bfcd1c-016c-416a-a155-388e766b411f'::uuid))))))
WITH CHECK ((id IN (SELECT sb.student_id FROM student_branch sb WHERE (sb.branch_id = (SELECT a.branch_id FROM admin a WHERE (a.id = '62bfcd1c-016c-416a-a155-388e766b411f'::uuid))))))

基本上,一个具有 ID 为 62bfcd1c-016c-416a-a155-388e766b411f 的管理员,属于(假设)branch_id = 1,应该只能看到表 student_branchbranch_id = 1 的学生。

但我得到了空结果。我尝试运行下面的 SQL 语句,它可以正常工作,但策略没有执行。

SELECT * FROM student WHERE (id IN (SELECT sb.student_id
FROM student_branch sb
WHERE (sb.branch_id = (SELECT admin.branch_id
FROM admin
WHERE (admin.id = '62bfcd1c-016c-416a-a155-388e766b411f'::uuid)))))

学生数据:

id, name
========
1, Student 1
2, Student 2

管理员数据:

id, name, branch_id
===================
62bfcd1c-016c-416a-a155-388e766b411f, Admin 1, 1

学生分支数据:

id, student_id, branch_id
=========================
1, 1, 1

使用 Supabase API 访问:

<url>/student?select=*

英文:

And based on what I learned, setting an RLS should be easy. But somehow I couldn't make this work. Please shed some light. Thanks.

For table student, my policy is as this:

    CREATE POLICY &quot;crud&quot; ON &quot;public&quot;.&quot;student&quot;
AS PERMISSIVE FOR ALL
TO public
USING ((id IN ( SELECT sb.student_id FROM student_branch sb WHERE (sb.branch_id = ( SELECT a.branch_id FROM admin a WHERE (a.id = &#39;62bfcd1c-016c-416a-a155-388e766b411f&#39;::uuid))))))
WITH CHECK ((id IN ( SELECT sb.student_id FROM student_branch sb WHERE (sb.branch_id = ( SELECT a.branch_id FROM admin a WHERE (a.id = &#39;62bfcd1c-016c-416a-a155-388e766b411f&#39;::uuid))))))

which basically an admin with id 62bfcd1c-016c-416a-a155-388e766b411f which belong to, let say branch_id = 1 should see only student for branch_id = 1 in table student_branch,

But I get empty result. I tried running sql statement below, it works ok but the policy did not get enforced.

select * from student where (id IN ( SELECT sb.student_id
       FROM student_branch sb
      WHERE (sb.branch_id = ( SELECT admin.branch_id
               FROM admin
              WHERE (admin.id = &#39;62bfcd1c-016c-416a-a155-388e766b411f&#39;::uuid)))))

the student data

id, name
========
1, Student 1
2, Student 2

the admin data

id, name, branch_id
============
62bfcd1c-016c-416a-a155-388e766b411f, Admin 1, 1

the student_branch data

id, student_id, branch_id
======================
1, 1, 1

access using Supabase API:

&lt;url&gt;/student?select=*

答案1

得分: 0

好的。看起来我需要正确配置我所引用的另一张表 student_branchadmin 的策略。

现在我对这两张表使用这个策略:

创建策略 "policy_name"
在 public.student_branch 上
对于 SELECT 使用 (
  真
);

我担心这个策略太开放了,我计划在另一个新问题中提出。

英文:

OK. It seems I've to correctly configure policy for the other table that I'm referring to: student_branch and admin.

Right now I'm using this policy for those two tables:

CREATE POLICY &quot;policy_name&quot;
ON public.student_branch
FOR SELECT USING (
  true
);

which I fear is too open which I plan to ask in another new question.

huangapple
  • 本文由 发表于 2023年6月22日 15:47:53
  • 转载请务必保留本文链接:https://go.coder-hub.com/76529635.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定