Realtime RLS, how to notify anon users of changes?

[ruggi99]

Hi, I would like to implement a set of RLS policies so that only authenticated users can modify a certain table (no matter which row), but every user (anon too) can be notified by Realtime of every changes made in that table. Is that possible with the new Realtime RLS feature?

EDIT: (before it was possible because Realtime didn't have RLS)

Thanks

[w3b6x9]

@ruggi99 just a heads up I replied to your support ticket regarding this issue.

We're working hard to update Realtime RLS to incorporate all roles so very soon you can set a select policy like (auth.role() = 'anon') and have this work.

[ruggi99]

Thanks Wen

[maxibenner]

Hi, just checking in to see if there been any progress on this.

[w3b6x9]

@maxibenner we're currently working on incorporating this (see PR) into Realtime.

[allanwakes]

so I can achieve this via 1) enable RLS on table, 2) a select policy with (auth.role() = 'anon'), then client with anon api key would get changes? for now, I cannot get changes with RLS on

[w3b6x9]

@allanwakes that's correct, once rolled out you'll be able to do exactly that. Please email support@supabase.io with a link to this discussion and your project ref. Thanks!

[kav]

Maybe stupid question but in the interim couldn't you set the INSERT and UPDATE RLS policies to auth.role() = 'authenticated' and the SELECT policy to true that way you never need to check for the anon role. Or are you concerned about a third party selecting directly?

[w3b6x9]

just wanted to give an update that this has been rolled out to Supabase projects. You can include anon, or any other database role, in your RLS policies and Realtime RLS will notify the right party or parties accordingly.

[whymidnight]

i actually ran into this issue a few hours ago. issue #7630 is worth mentioning as it provides context.

basically if you want to scope the anon role with RLS and realtime, you need to pair the UPDATE policy with a SELECT policy. otherwise with just an UPDATE policy on an RLS+realtime enabled table, realtime UPDATE events will not propagate to the client.

for reference - to enable RLS and realtime UPDATE events for foo_table:

-- enable realtime
begin;
  drop publication if exists supabase_realtime;
  create publication supabase_realtime with (publish = 'update');
commit;

-- include foo_table
alter publication supabase_realtime add table foo_table;

-- create policies
create policy "anon_foo_table_select_policy"
on public.foo_table
for select
to anon
using (
  true
);
create policy "anon_foo_table_update_policy"
on public.foo_table
for update
to anon
using (
  true
) with check (
  true
);

maybe my brain was too fried and overlooked this in the documentation.. just wanted to share.

[ruggi99]

Hi @whymidnight, you are replying to a quite old thread.
The issue / feature request I wrote about one year ago has been resolved in about a month and it was raised due to un update to Realtime.
I think you're facing a similar issue, but different enough to raise a new issue / discussion.
FYI Realtime RLS with notification to anon users has worked and it is still working as now. I use it in my project and it doesn't need any configuration, so it comes with "batteries included"

[w3b6x9]

@whymidnight you're correct, when RLS is enabled on a table Realtime will look at the SELECT policies to determine if a subscriber should receive changes.