Permissions

In most cases, you won't need to use the permissions API directly. Instead, each account returns the current users role in the get_account lookup function. In some cases, however, it can be useful to have dedicated functions for lookup.


POST/rpc/current_user_account_role

Current user role

Returns the current users role for a given account.

Required attributes

  • Name
    account_id
    Type
    uuid
    Description

    Unique UUID for the account you're trying to lookup

Request

POST
/rpc/current_user_account_role
curl -G https://YOUR_SUPABASE/rest/v1/rpc/current_user_account_role \
-X POST \
-H "Authorization: Bearer SUPABASE_AUTH_TOKEN" \
-H "apikey: SUPABASE_ANON_KEY" \
-H "Content-Type: application/json"
-d '{"account_id": "uuid"}'

Response

{
    "account_role": "member",
    "is_primary_owner": false,
    "is_personal_account": false
}

POST/rpc/update_account_user_role

Update user role

Updates the role of a user in a given account. Also allows you to change the primary owner of an account.

Required attributes

  • Name
    account_id
    Type
    uuid
    Description

    Unique UUID for the account you're trying to lookup

  • Name
    user_id
    Type
    uuid
    Description

    Unique UUID for the user you're trying to update the role for

  • Name
    new_account_role
    Type
    account_role
    Description

    The new role you want to assign to the user. By default can be member or owner unless you've added custom roles.

Optional attributes

  • Name
    make_primary_owner
    Type
    boolean
    Description

    Defaults to false. If you want to make the user the primary owner of the account, set this to true. You must also set the user's role to owner when doing this.

Request

POST
/rpc/update_account_user_role
curl -G https://YOUR_SUPABASE/rest/v1/rpc/update_account_user_role \
-X POST \
-H "Authorization: Bearer SUPABASE_AUTH_TOKEN" \
-H "apikey: SUPABASE_ANON_KEY" \
-H "Content-Type: application/json"
-d '{"account_id": "uuid", "user_id": "uuid", "new_account_role": "member"}'

Response

empty response

FUNCTIONbasejump.has_role_on_account

Check for user role on account

Checks if the current user has a specific role on a given account.

Required attributes

  • Name
    account_id
    Type
    uuid
    Description

    Unique UUID for the account you're trying to lookup

Optional attributes

  • Name
    Account Role
    Type
    account_role
    Description

    Defaults to null, returning true if the user has any role on the account. Accepts any defined account role. For example, passing in owner will only return true if the user is an owner on the account.

Usage

FUNCTION
basejump.get_accounts_with_role
-- only account members can view posts
create policy "Only members can view posts" on posts
for select
to authenticated
using (
 basejump.has_role_on_account(account_id) = true
);

-- only account owners can update posts
create policy "Only owners can update posts" on posts
for update
to authenticated
using (
    basejump.has_role_on_account(account_id, 'owner') = true
);

FUNCTIONbasejump.get_accounts_with_role

Lookup user accounts with role

Generates a secure token of a given length.

Optional attributes

  • Name
    Account Role
    Type
    account_role
    Description

    Defaults to null, returning all accounts the user is a member of. Limit the results to accounts where the current user has a specific role. For example, passing in owner will return only accounts the user is the owner of.

Usage

FUNCTION
basejump.get_accounts_with_role
-- only account members can view posts
create policy "Only members can view posts" on posts
    for select
    to authenticated
    using (
        account_id IN (SELECT basejump.get_accounts_with_role())
    );

-- only account owners can update posts
create policy "Only owners can update posts" on posts
    for update
    to authenticated
    using (
        account_id IN (SELECT basejump.get_accounts_with_role('owner'))
    );