Impossible to determine if the record was really deleted

[n-sviridenko]

Bug report

Describe the bug

When RLS is enabled, if deletion is not allowed, it'll still return 200.

To Reproduce

1. Create a table
2. Enable RLS
3. No policies needed, as deletion will be already not allowed
4. Create a record in that table
5. Do a DELETE request to delete a record from there

Expected behavior

A 403 or something similar so that me (as a client) can notify the user that it wasn't successful.

System information

• Version of supabase-js: the last one
• Version of Node.js: 14

[soedirgo]

This is working as intended - a 403 is not sufficient from a security perspective since that leaks the existence of the row.

To determine whether or not a .delete() actually has rows deleted, you can do a .delete() with .select() which returns the deleted rows, if any.

[steve-chavez]

You can also use single() to err if you expect deleting a single row, this will be logged with a 406 Not Acceptable.

Additionally if you revoke the DELETE privilege

REVOKE DELETE ON <tbl> FROM authenticated;

You'll always get a 403 when using delete().