top | item 46357710

(no title)

jscheel | 2 months ago

The problem is that people just really do not comprehend what the "public" schema means in supabase. My guess is that that they think it means "default" or something along those lines. If you read the supabase documentation, you can clearly see that it says "your database's auto-generated Data API exposes the public schema by default", but to truly understand that, you need to understand what the data api is and how it relies on rls. For people first coming to supabase, they are probably either new devs, or they think of the db as a backend service that has application-layer authentication in front of it.

discuss

christophilus|2 months ago

Interesting. That would have surprised me if I was a supabase user. I’m used to tossing everything into the public Postgres schema simply because it’s the default schema, and for many small apps, that’s all you need. Supabase should really rethink publicly exposing the default schema without explicit consent from the developer.

jscheel|2 months ago

They do a lot more nowadays to make it clear to the user what is happening, but it still feels unnatural to me.

EGreg|2 months ago

That is why in https://github.com/Qbix/Streams the default for all streams is PRIVATE. And people can choose what to open up explicitly. We support access templates, mutable access, and inheritance, roles, even participant roles and custom permissions. But the default is private, and all that is machinery on top of it.

Read this for a high level overview useful for HN: https://community.qbix.com/t/streams-plugin-access-control/2...