Supabase RLS: Stop Trusting the authenticated Role
Chet
Supabase makes RLS approachable, which is exactly why so many projects ship with policies that check nothing. If your write policy is TO authenticated USING (true), every logged-in user can edit every row.
The common mistake
Granting the authenticated role blanket access treats 'is logged in' as 'is allowed.' Those are different questions.
Ownership-scoped policies
CREATE POLICY "owners edit own posts"
ON posts FOR UPDATE
USING (auth.uid() = author_id)
WITH CHECK (auth.uid() = author_id);USING controls which rows you can see. WITH CHECK controls what you are allowed to write. You need both.
Admin via claims, not roles
Put an is_admin flag in a profiles table and check it in the policy, rather than leaning on Postgres roles that your API client shares.
- Read policies: scope to published or owned rows
- Write policies: always pair USING with WITH CHECK
- Never expose the service-role key to the browser
RLS is a firewall. Configure it like one.