We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
When RLS is enabled, if deletion is not allowed, it'll still return 200.
A 403 or something similar so that me (as a client) can notify the user that it wasn't successful.
The text was updated successfully, but these errors were encountered:
This is working as intended - a 403 is not sufficient from a security perspective since that leaks the existence of the row.
To determine whether or not a .delete() actually has rows deleted, you can do a .delete() with .select() which returns the deleted rows, if any.
.delete()
.select()
Sorry, something went wrong.
You can also use single() to err if you expect deleting a single row, this will be logged with a 406 Not Acceptable.
Additionally if you revoke the DELETE privilege
REVOKE DELETE ON <tbl> FROM authenticated;
You'll always get a 403 when using delete().
delete()
No branches or pull requests
Bug report
Describe the bug
When RLS is enabled, if deletion is not allowed, it'll still return 200.
To Reproduce
Expected behavior
A 403 or something similar so that me (as a client) can notify the user that it wasn't successful.
System information
The text was updated successfully, but these errors were encountered: