You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm building a image storage system, and I'm setting up a RLS. A user can only access images of a task if they have created the project containing the tasks.
My tables look like that:
Projects: id, created_by, ...
Tasks: id, name, project_id, ...
My bucket looks like that:
tasks_images:
/taskid1(one folder per task)
/file1
/file2
/taskid2
/file3
My storage RLS
create policy "User must be the creator of the project to access a tasks images"on"storage"."objects"as permissive
for select
to public
using (
bucket_id ='tasks_images'ANDauth.role() ='authenticated'AND EXISTS (
SELECT1FROM tasks task JOIN project proj ONproj.id=task.project_idWHEREtask.id::text= (storage.foldername(name))[1]
ANDproj.created_by=auth.uid()
)
);
Here, I'm using WHERE task.id::text = (storage.foldername(name))[1] as I'm creating a subfolder for each task.
The problem: when I create this RLS (either by applying a migration or using the studio), it gets rewritten. When I view it (or query directly pg_policies), the condition is changed to:
It is reflecting what Postgres will do with your SQL. As it is in a select all non table.column references are assumed to belong to the table being selected. You need to prefix it with objects.name I'm pretty sure.
Bug report
Describe the bug
I'm building a image storage system, and I'm setting up a RLS. A user can only access images of a task if they have created the project containing the tasks.
My tables look like that:
My bucket looks like that:
My storage RLS
Here, I'm using
WHERE task.id::text = (storage.foldername(name))[1]
as I'm creating a subfolder for each task.The problem: when I create this RLS (either by applying a migration or using the studio), it gets rewritten. When I view it (or query directly pg_policies), the condition is changed to:
I look like some optimization step is thinking "table Tasks has a 'name' column, so this 'name' variable must be that".
To Reproduce
Expected behavior
Screenshots
System information
Additional context
The text was updated successfully, but these errors were encountered: