ryanmouritz
commented
2 days ago @CallumBoase I believe there are two main ways to achieve this in Supabase:
-
https://supabase.com/docs/guides/database/postgres/custom-claims-and-role-based-access-control-rbac This method adds custom claims to the JWT to allow both server side (e.g. via middleware/route handlers) and client side application logic to consider the role.
-
Similar to the above, without adding custom claims to the JWT, allowing only server-side role assessment by querying the users role in middleware or route handlers
- Adding the role to a custom table for managing roles
- Adding the role to the custom user metadata (less secure because a user could elevate their own privileges)
I believe with the recent changes to revert the route protection approach back to using middleware, we have given advanced users everything required to support both methods for role-based access control above.
PROBLEM: Many apps require role-based access control (RBAC) to determine which pages users can see based on a role or role/s that a user is assigned.
Plasmic-supabase does not currently give any details on how to achieve this. The current methods only specify how to ensure a user is logged in or not (nothing more granular)
TODO We therefore should figure out & describe how to achieve more granular access permissions in an app built with Plasmic-supabase
CONTRAINTS I'm pretty sure that Plasmic's RBAC functionality relies on Plasmic Auth. Therefore, we won't be able to utilize plasmic's built-in RBAC functionality.
IDEAS Plasmic pages allow specification of arbritrary metadata key-value pairs. These could be utilised to allow in-studio definition of permissions per page