blog: supabase rls alternative #335
Conversation
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
WalkthroughThe document introduces an exploration of Supabase's Row-Level Security (RLS) limitations in multi-tenancy SaaS applications, proposing ZenStack as an alternative. It details the evolution of Backend-as-a-Service platforms, highlights key access control challenges, and illustrates a practical example using a ToDo application. ZenStack's features offer improved developer experience and maintainability by integrating access controls directly into the data model, positioning it as a more user-friendly option compared to RLS. Changes
Sequence Diagram(s)sequenceDiagram
participant Developer
participant Application
participant Database
Developer->>Application: Define access control policies
Application->>Database: Request data with Row-Level Security (RLS)
Database->>Application: Apply RLS rules and return data
Application->>Developer: Provide data (with RLS applied)
Developer->>Application: Define access control in ZenStack
Application->>Database: Request data with ZenStack
Database->>Application: Return data with integrated access control
Application->>Developer: Provide data (with ZenStack access control)
Recent review detailsConfiguration used: CodeRabbit UI Files ignored due to path filters (1)
Files selected for processing (1)
Additional context usedLanguageTool
Markdownlint
Additional comments not posted (2)
Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media? TipsChatThere are 3 ways to chat with CodeRabbit:
Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (invoked as PR comments)
Additionally, you can add CodeRabbit Configuration File (
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
| TLDR: The team felt that BaaS was too limited for developers to build the next generation of web applications, so they pivoted it to the [Prisma ORM](https://www.prisma.io/orm). | ||
|
|
||
| It simplifies database interactions by providing a type-safe query builder, seamless migrations, and an intuitive data modeling language. While Prisma ORM does provide more flexibility compared to BaaS, it intentionally misses the access control layer as an ORM. Consequently, you have to switch back to implementing Authorization logic at the application level. | ||
|
|
There was a problem hiding this comment.
Consider using a more polite way of asking the question.
Consider using a more polite way of asking this question.
- Is it possible to bring back the convenience of not writing code for the Authorization like BaaS while maintaining the flexibility of a custom backend?
+ Could we bring back the convenience of not writing code for the Authorization like BaaS while maintaining the flexibility of a custom backend?Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| Could we bring back the convenience of not writing code for the Authorization like BaaS while maintaining the flexibility of a custom backend? |
Tools
LanguageTool
[style] ~251-~251: Consider using a more polite way of asking this question.
Context: ...zation logic at the application level. Is it possible to bring back the convenience of not wr...(IS_IT_POSSIBLE_TO)
|
|
||
| ### 4. Maintainability | ||
|
|
||
| Let’s say we get a feature request that if a team member can see a Todo list, he will have full access to all the Todos under it, even the ones not owned by him. |
There was a problem hiding this comment.
Add a hyphen in "ToDo" to form "To-Do".
It appears that a hyphen is missing in the noun “To-Do” (= task).
- if a team member can see a Todo list
+ if a team member can see a To-Do listCommittable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| Let’s say we get a feature request that if a team member can see a Todo list, he will have full access to all the Todos under it, even the ones not owned by him. | |
| Let’s say we get a feature request that if a team member can see a To-Do list, he will have full access to all the Todos under it, even the ones not owned by him. |
Tools
LanguageTool
[grammar] ~217-~217: It appears that a hyphen is missing in the noun “To-do” (= task) or did you mean the verb “to do”?
Context: ...request that if a team member can see a Todo list, he will have full access to all t...(TO_DO_HYPHEN)
[grammar] ~217-~217: It appears that a hyphen is missing in the plural noun “to-dos”?
Context: ...st, he will have full access to all the Todos under it, even the ones not owned by hi...(TO_DO_HYPHEN)
Add a hyphen in "Todos" to form "To-Dos".
It appears that a hyphen is missing in the plural noun “To-Dos”.
- he will have full access to all the Todos under it
+ he will have full access to all the To-Dos under itCommittable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| Let’s say we get a feature request that if a team member can see a Todo list, he will have full access to all the Todos under it, even the ones not owned by him. | |
| Let’s say we get a feature request that if a team member can see a Todo list, he will have full access to all the To-Dos under it, even the ones not owned by him. |
Tools
LanguageTool
[grammar] ~217-~217: It appears that a hyphen is missing in the noun “To-do” (= task) or did you mean the verb “to do”?
Context: ...request that if a team member can see a Todo list, he will have full access to all t...(TO_DO_HYPHEN)
[grammar] ~217-~217: It appears that a hyphen is missing in the plural noun “to-dos”?
Context: ...st, he will have full access to all the Todos under it, even the ones not owned by hi...(TO_DO_HYPHEN)
|
|
||
| Nothing explains better than code here. | ||
|
|
||
| Here is the complete runnable project for this SaaS ToDo app: |
There was a problem hiding this comment.
Add a hyphen in "ToDo" to form "To-Do".
It appears that a hyphen is missing in the noun “To-Do” (= task).
- complete runnable project for this SaaS ToDo app:
+ complete runnable project for this SaaS To-Do app:Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| Here is the complete runnable project for this SaaS ToDo app: | |
| Here is the complete runnable project for this SaaS To-Do app: |
Tools
LanguageTool
[grammar] ~438-~438: It appears that a hyphen is missing in the noun “To-Do” (= task) or did you mean the verb “to do”?
Context: ...complete runnable project for this SaaS ToDo app: [https://github.com/zenstackhq/s...(TO_DO_HYPHEN)
|
|
||
| ### 3. Scalability | ||
|
|
||
| Have you noticed that for `Todo` there is only one line of the policy rule? |
There was a problem hiding this comment.
Add a hyphen in "ToDo" to form "To-Do".
It appears that a hyphen is missing in the noun “To-Do” (= task).
- Have you noticed that for `Todo` there is only one line of the policy rule?
+ Have you noticed that for `To-Do` there is only one line of the policy rule?Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| Have you noticed that for `Todo` there is only one line of the policy rule? | |
| Have you noticed that for `To-Do` there is only one line of the policy rule? |
Tools
LanguageTool
[grammar] ~404-~404: It appears that a hyphen is missing in the noun “To-do” (= task) or did you mean the verb “to do”?
Context: ... Scalability Have you noticed that forTodothere is only one line of the policy r...(TO_DO_HYPHEN)
|
|
||
| - Read | ||
| - can be read by the owner. | ||
| - can be read by space members if not private. |
There was a problem hiding this comment.
Complete the sentence.
To form a complete sentence, be sure to include a subject.
- can be read by the owner.
+ It can be read by the owner.Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - can be read by space members if not private. | |
| - It can be read by space members if not private. |
Tools
LanguageTool
[style] ~132-~132: To form a complete sentence, be sure to include a subject.
Context: ...d - can be read by the owner. - can be read by space members if not private...(MISSING_IT_THERE)
Markdownlint
132-132: Expected: 2; Actual: 4
Unordered list indentation(MD007, ul-indent)
|
|
||
| You might feel the aforementioned RLS for `List` is clear and straightforward, but that’s only for one table. If the access control policy for `Todo` is the same as `List`, which is a very common case, what policy do you need to create for `Todo`? The answer is that you have to duplicate all the policies of the `list` for `Todo`. That’s definitely not DRY(Don’t repeat yourself). | ||
|
|
||
| If you don't think it's a big deal, imagine you're lucky enough to grow your Todo SaaS into a team collaboration platform that manages various entities like dashboards, tasks, bugs, projects, etc. |
There was a problem hiding this comment.
Add a hyphen in "ToDo" to form "To-Do".
It appears that a hyphen is missing in the noun “To-Do” (= task).
- grow your Todo SaaS into a team collaboration platform
+ grow your To-Do SaaS into a team collaboration platformCommittable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| If you don't think it's a big deal, imagine you're lucky enough to grow your Todo SaaS into a team collaboration platform that manages various entities like dashboards, tasks, bugs, projects, etc. | |
| If you don't think it's a big deal, imagine you're lucky enough to grow your To-Do SaaS into a team collaboration platform that manages various entities like dashboards, tasks, bugs, projects, etc. |
Tools
LanguageTool
[grammar] ~213-~213: It appears that a hyphen is missing in the noun “To-do” (= task) or did you mean the verb “to do”?
Context: ...magine you're lucky enough to grow your Todo SaaS into a team collaboration platform...(TO_DO_HYPHEN)
| - Update | ||
| - only the owner is allowed to update | ||
| - owner must be in the space of the current list | ||
| - it doesn’t allow to change owner |
There was a problem hiding this comment.
Correct the phrase "allow to change".
Did you mean “changing”? Or maybe you should add a pronoun? In active voice, ‘allow’ + ‘to’ takes an object, usually a pronoun.
- it doesn’t allow to change owner
+ it doesn’t allow changing the ownerCommittable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - it doesn’t allow to change owner | |
| - it doesn’t allow changing the owner |
Tools
LanguageTool
[grammar] ~148-~148: Did you mean “changing”? Or maybe you should add a pronoun? In active voice, ‘allow’ + ‘to’ takes an object, usually a pronoun.
Context: ...the current list - it doesn’t allow to change owner ```sql create policy...(ALLOW_TO)
Markdownlint
148-148: Expected: 2; Actual: 4
Unordered list indentation(MD007, ul-indent)
|
|
||
| ## Multi-Tenancy SaaS Example | ||
|
|
||
| Multi-tenancy is the classical pattern used in SaaS applications. An application can host many organizations, and users can join organizations and access resources based on their permissions. Let’s use a ToDo app to illustrate. |
There was a problem hiding this comment.
Add a hyphen in "ToDo" to form "To-Do".
It appears that a hyphen is missing in the noun “To-Do” (= task).
- Let’s use a ToDo app to illustrate.
+ Let’s use a To-Do app to illustrate.Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| Multi-tenancy is the classical pattern used in SaaS applications. An application can host many organizations, and users can join organizations and access resources based on their permissions. Let’s use a ToDo app to illustrate. | |
| Multi-tenancy is the classical pattern used in SaaS applications. An application can host many organizations, and users can join organizations and access resources based on their permissions. Let’s use a To-Do app to illustrate. |
Tools
LanguageTool
[grammar] ~66-~66: It appears that a hyphen is missing in the noun “To-Do” (= task) or did you mean the verb “to do”?
Context: ...based on their permissions. Let’s use a ToDo app to illustrate. ### Database Model ...(TO_DO_HYPHEN)
|
|
||
| That's why we built [ZenStack](https://zenstack.dev/) on top of Prisma ORM, adding the missing authorization layer and auto-generating type-safe APIs/hooks. It gives you the same convenience as using BaaS while maintaining flexibility with everything in your codebase. | ||
|
|
||
| Let’s cut the crap and see the code directly. Below are the equivalent ZenStack schema definitions of `List` and `Todo` you need to write for the ToDo apps. |
There was a problem hiding this comment.
Add a hyphen in "ToDo" to form "To-Do".
It appears that a hyphen is missing in the noun “To-Do” (= task).
- ZenStack schema definitions of `List` and `Todo` you need to write for the ToDo apps.
+ ZenStack schema definitions of `List` and `Todo` you need to write for the To-Do apps.Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| Let’s cut the crap and see the code directly. Below are the equivalent ZenStack schema definitions of `List` and `Todo` you need to write for the ToDo apps. | |
| Let’s cut the crap and see the code directly. Below are the equivalent ZenStack schema definitions of `List` and `Todo` you need to write for the To-Do apps. |
Tools
LanguageTool
[grammar] ~256-~256: It appears that a hyphen is missing in the noun “To-do” (= task) or did you mean the verb “to do”?
Context: ...nStack schema definitions ofListandTodoyou need to write for the ToDo apps. ...(TO_DO_HYPHEN)
[grammar] ~256-~256: It appears that a hyphen is missing in the noun “To-Do” (= task) or did you mean the verb “to do”?
Context: ...tandTodo` you need to write for the ToDo apps. ```tsx abstract model BaseEntit...(TO_DO_HYPHEN)
Add a hyphen in "ToDo" to form "To-Do".
It appears that a hyphen is missing in the noun “To-Do” (= task).
- ZenStack schema definitions of `List` and `Todo` you need to write for the ToDo apps.
+ ZenStack schema definitions of `List` and `To-Do` you need to write for the To-Do apps.Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| Let’s cut the crap and see the code directly. Below are the equivalent ZenStack schema definitions of `List` and `Todo` you need to write for the ToDo apps. | |
| Let’s cut the crap and see the code directly. Below are the equivalent ZenStack schema definitions of `List` and `To-Do` you need to write for the To-Do apps. |
Tools
LanguageTool
[grammar] ~256-~256: It appears that a hyphen is missing in the noun “To-do” (= task) or did you mean the verb “to do”?
Context: ...nStack schema definitions ofListandTodoyou need to write for the ToDo apps. ...(TO_DO_HYPHEN)
[grammar] ~256-~256: It appears that a hyphen is missing in the noun “To-Do” (= task) or did you mean the verb “to do”?
Context: ...tandTodo` you need to write for the ToDo apps. ```tsx abstract model BaseEntit...(TO_DO_HYPHEN)
|
|
||
| ### 3. Scalability | ||
|
|
||
| You might feel the aforementioned RLS for `List` is clear and straightforward, but that’s only for one table. If the access control policy for `Todo` is the same as `List`, which is a very common case, what policy do you need to create for `Todo`? The answer is that you have to duplicate all the policies of the `list` for `Todo`. That’s definitely not DRY(Don’t repeat yourself). |
There was a problem hiding this comment.
Add a hyphen in "ToDo" to form "To-Do".
It appears that a hyphen is missing in the noun “To-Do” (= task).
- If the access control policy for `Todo` is the same as `List`
+ If the access control policy for `To-Do` is the same as `List`Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| You might feel the aforementioned RLS for `List` is clear and straightforward, but that’s only for one table. If the access control policy for `Todo` is the same as `List`, which is a very common case, what policy do you need to create for `Todo`? The answer is that you have to duplicate all the policies of the `list` for `Todo`. That’s definitely not DRY(Don’t repeat yourself). | |
| You might feel the aforementioned RLS for `List` is clear and straightforward, but that’s only for one table. If the access control policy for `To-Do` is the same as `List`, which is a very common case, what policy do you need to create for `Todo`? The answer is that you have to duplicate all the policies of the `list` for `Todo`. That’s definitely not DRY(Don’t repeat yourself). |
Tools
LanguageTool
[grammar] ~211-~211: It appears that a hyphen is missing in the noun “To-do” (= task) or did you mean the verb “to do”?
Context: ...table. If the access control policy forTodois the same asList, which is a very...(TO_DO_HYPHEN)
[grammar] ~211-~211: It appears that a hyphen is missing in the noun “To-do” (= task) or did you mean the verb “to do”?
Context: ..., what policy do you need to create forTodo? The answer is that you have to dupli...(TO_DO_HYPHEN)
[grammar] ~211-~211: It appears that a hyphen is missing in the noun “To-do” (= task) or did you mean the verb “to do”?
Context: ...cate all the policies of thelistforTodo. That’s definitely not DRY(Don’t repea...(TO_DO_HYPHEN)
Add a hyphen in "ToDo" to form "To-Do".
It appears that a hyphen is missing in the noun “To-Do” (= task).
- duplicate all the policies of the `list` for `Todo`.
+ duplicate all the policies of the `list` for `To-Do`.Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| You might feel the aforementioned RLS for `List` is clear and straightforward, but that’s only for one table. If the access control policy for `Todo` is the same as `List`, which is a very common case, what policy do you need to create for `Todo`? The answer is that you have to duplicate all the policies of the `list` for `Todo`. That’s definitely not DRY(Don’t repeat yourself). | |
| You might feel the aforementioned RLS for `List` is clear and straightforward, but that’s only for one table. If the access control policy for `Todo` is the same as `List`, which is a very common case, what policy do you need to create for `Todo`? The answer is that you have to duplicate all the policies of the `list` for `To-Do`. That’s definitely not DRY(Don’t repeat yourself). |
Tools
LanguageTool
[grammar] ~211-~211: It appears that a hyphen is missing in the noun “To-do” (= task) or did you mean the verb “to do”?
Context: ...table. If the access control policy forTodois the same asList, which is a very...(TO_DO_HYPHEN)
[grammar] ~211-~211: It appears that a hyphen is missing in the noun “To-do” (= task) or did you mean the verb “to do”?
Context: ..., what policy do you need to create forTodo? The answer is that you have to dupli...(TO_DO_HYPHEN)
[grammar] ~211-~211: It appears that a hyphen is missing in the noun “To-do” (= task) or did you mean the verb “to do”?
Context: ...cate all the policies of thelistforTodo. That’s definitely not DRY(Don’t repea...(TO_DO_HYPHEN)
Add a hyphen in "ToDo" to form "To-Do".
It appears that a hyphen is missing in the noun “To-Do” (= task).
- what policy do you need to create for `Todo`?
+ what policy do you need to create for `To-Do`?Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| You might feel the aforementioned RLS for `List` is clear and straightforward, but that’s only for one table. If the access control policy for `Todo` is the same as `List`, which is a very common case, what policy do you need to create for `Todo`? The answer is that you have to duplicate all the policies of the `list` for `Todo`. That’s definitely not DRY(Don’t repeat yourself). | |
| You might feel the aforementioned RLS for `List` is clear and straightforward, but that’s only for one table. If the access control policy for `Todo` is the same as `List`, which is a very common case, what policy do you need to create for `To-Do`? The answer is that you have to duplicate all the policies of the `list` for `Todo`. That’s definitely not DRY(Don’t repeat yourself). |
Tools
LanguageTool
[grammar] ~211-~211: It appears that a hyphen is missing in the noun “To-do” (= task) or did you mean the verb “to do”?
Context: ...table. If the access control policy forTodois the same asList, which is a very...(TO_DO_HYPHEN)
[grammar] ~211-~211: It appears that a hyphen is missing in the noun “To-do” (= task) or did you mean the verb “to do”?
Context: ..., what policy do you need to create forTodo? The answer is that you have to dupli...(TO_DO_HYPHEN)
[grammar] ~211-~211: It appears that a hyphen is missing in the noun “To-do” (= task) or did you mean the verb “to do”?
Context: ...cate all the policies of thelistforTodo. That’s definitely not DRY(Don’t repea...(TO_DO_HYPHEN)
Summary by CodeRabbit