How much should one trust RLS? Reading PostgREST, it looks like you could use a JWT parameter to enforce a policy - whether individual user or group based.
I really love the idea of RLS, but wonder at it's provable security properties.
Last I looked (several versions ago) RLS for `UPDATE`s was not great. Checking now... I see the same problem remains for `UPDATE`s, that you can't see old and new values for the affected row in the policy code. The workaround, when you need to see the old and new values, is to use a `TRIGGER`.
Not an expert but my impression is that RLS is not only rock solid, but extremely more testable since you can construct sql queries that test virtually any access scenario
XzAeRosho|1 year ago
cryptonector|1 year ago
seveibar|1 year ago
unknown|1 year ago
[deleted]
cryptonector|1 year ago