How to make posts private for a user?
Opened this issue · 1 comments
In the getStaticProps method in the posts/[id].js file, there is the following query to Supabase:
const { data } = await supabase
.from("posts")
.select()
.filter("id", "eq", id)
.single();
According to the Readme, we set up Row Level Security with the following policy:
create policy "Posts are public." on posts for
select using ( true );
In a production setting, this means that a user could technically access Supabase directly i.e
const { data } = await supabase.from("posts").select()
To get all of the posts in the database, including ones they did not author.
Is there a configuration change that would make the posts private, or only accessible to the authoring user?
Thanks for the great open source template, it worked perfectly otherwise.
I dug in a bit and realized that if I apply
uid() = user_id
for the select policy, that it will work expectedly on the client side Supabase method invocations
However, in the getStaticProps and getStaticPath methods, it appears to fail.
I imagine the server-side Supabase instance is not properly authenticated.