supabase / postgrest-js

Isomorphic JavaScript client for PostgREST.

https://supabase.com

MIT License

1.04k stars 133 forks source link

Delete RLS violations return 204 not 403 #409

Closed reisepass closed 1 year ago

reisepass commented 1 year ago

Bug report

SQL/API Delete row-level security policy violations return 204 not 403 like with inserts.

Describe the bug

This may be a design decision but it is very unintuitive and significantly increases time to debug access control.

To Reproduce

Create a table where with no DELETE policy but RLS is enabled
Insert some data in the dashboard
Try to delete data from the JS client / CURL api
API will return 204 but nothing gets deleted in the DB

Expected behavior

When deletes fail do to RLS a 4xx http code should be returned specifically 403

GaryAustin1 commented 1 year ago

This is expected behavior as discussed in this issue in postgrest-js:

https://github.com/supabase/postgrest-js/issues/307

This is probably more a documentation issue than a bug.

Moving to Postgrest-js for devs to decide on proper documentation if appropriate.

Netail commented 1 year ago

Same for inserting data, very confusing when debugging. GraphQL also started to get backlash due to only returning 200s, making it hard to debug

pompep commented 1 year ago

To detect RLS errors on update and delete, I check the response.count field. Something like:

const response = await client
  .from("table")
  .delete({ count: "estimated" })
  .eq("id", rowIdToDelete);

if (response.count !== 1) {
  // detected RLS error
}

seems like it works, but if someone has a better solution, please let me know

soedirgo commented 1 year ago

Closing as duplicate of #307 - the answer in that issue still applies.