Loading source
Pulling the file list, source metadata, and syntax-aware rendering for this listing.
Source from repo
Comprehensive Postgres performance optimization and best practices guide maintained by Supabase
Files
Skill
Size
Entrypoint
Format
Open file
Syntax-highlighted preview of this file as included in the skill package.
references/security-rls-basics.md
1---2title: Enable Row Level Security for Multi-Tenant Data3impact: CRITICAL4impactDescription: Database-enforced tenant isolation, prevent data leaks5tags: rls, row-level-security, multi-tenant, security6---7## Enable Row Level Security for Multi-Tenant Data9Row Level Security (RLS) enforces data access at the database level, ensuring users only see their own data.11**Incorrect (application-level filtering only):**13```sql15-- Relying only on application to filter16select * from orders where user_id = $current_user_id;17-- Bug or bypass means all data is exposed!19select * from orders; -- Returns ALL orders20```21**Correct (database-enforced RLS):**23```sql25-- Enable RLS on the table26alter table orders enable row level security;27-- Create policy for users to see only their orders29create policy orders_user_policy on orders30for all31using (user_id = current_setting('app.current_user_id')::bigint);32-- Force RLS even for table owners34alter table orders force row level security;35-- Set user context and query37set app.current_user_id = '123';38select * from orders; -- Only returns orders for user 12339```40Policy for authenticated role:42```sql44create policy orders_user_policy on orders45for all46to authenticated47using (user_id = auth.uid());48```49Reference: [Row Level Security](https://supabase.com/docs/guides/database/postgres/row-level-security)51