Closed n-sviridenko closed 1 year ago
This is working as intended - a 403 is not sufficient from a security perspective since that leaks the existence of the row.
To determine whether or not a .delete()
actually has rows deleted, you can do a .delete()
with .select()
which returns the deleted rows, if any.
You can also use single() to err if you expect deleting a single row, this will be logged with a 406 Not Acceptable.
Additionally if you revoke the DELETE privilege
REVOKE DELETE ON <tbl> FROM authenticated;
You'll always get a 403 when using delete()
.
Bug report
Describe the bug
When RLS is enabled, if deletion is not allowed, it'll still return 200.
To Reproduce
Expected behavior
A 403 or something similar so that me (as a client) can notify the user that it wasn't successful.
System information