Basejump Logo

Basejump

RLS and Permissions

As you're building out your app on Supabase, you'll likely want to control access to reading or updating data based on account permissions. Basejump provides a set of default roles and permissions that you can use to get started, but you can also create your own.

Row Level Security

Supabase uses RLS (Row Level Security) to enforce permissions within the database. It's the reason they can allow direct access to the database without exposing sensitive data.

Basejump handles permissions on all provided tables by default, and also has tests in place to ensure no added tables are pushed without RLS enabled.

To learn more about configuring RLS policies, check out the official Supabase guide

Protecting access to data in tables

To protect access to tables, you'll need to enable RLS on the table and then create some relevant policies. Below are some examples of policies you can use to protect access to your data.

We've also created an example new table schema to make this easy.

Testing your policies

We recommend that you implement testing on your RLS policies to ensure you've created them correctly. check out our testing guide here.

Example RLS policies

Replace the posts table with the name of the table you want to protect.

Only allow account members to view posts

create policy "Only members can view posts" on posts
    for select
    to authenticated
    using (
        (account_id IN ( SELECT basejump.get_accounts_with_role()))
    );

Allow only account owners to update posts

create policy "Only owners can update posts" on posts
    for update
    to authenticated
    using (
        (account_id IN ( SELECT basejump.get_accounts_with_role('owner')))
    );

Authenticated users should be able to read all records regardless of account

create policy "All logged in users can select" on posts
    for select
    to authenticated
    using (true);

Authenticated AND Anon users should be able to read all records regardless of account

create policy "All authenticated and anonymous users can select" on posts
    for select
    to authenticated, anon
    using (true);

Users should be able to read records that are owned by an account they belong to

create policy "Account members can select" on posts
    for select
    to authenticated
    using (
        (account_id IN ( SELECT basejump.get_accounts_with_role()))
    );

Users should be able to create records that are owned by an account they belong to

create policy "Account members can insert" on posts
    for insert
    to authenticated
    with check (
        (account_id IN ( SELECT basejump.get_accounts_with_role()))
    );

Users should be able to update records that are owned by an account they belong to

create policy "Account members can update" on posts
    for update
    to authenticated
    using (
        (account_id IN ( SELECT basejump.get_accounts_with_role()))
    );

Users should be able to delete records that are owned by an account they belong to

create policy "Account members can delete" on posts
    for delete
    to authenticated
    using (
        (account_id IN ( SELECT basejump.get_accounts_with_role()))
    );

Only account OWNERS should be able to delete records that are owned by an account they belong to

create policy "Account owners can delete" on posts
    for delete
    to authenticated
    using (
        (account_id IN ( SELECT basejump.get_accounts_with_role('owner')))
    );