undefined | Better HN

0 pointspphysch2y ago0 comments

Do I have to add that context to every query, or is it something I can set per cursor/transaction?

0 comments

3 comments · 1 top-level

anarazel2y ago· 2 in thread

Either. What the best approach is depends a bit on your needs / security model.

You can e.g. something like storing the session "application user" in a configuration variable (SET myapp.rls_user =...). But if the user can influence the SQL and that's part of the threat model, you need to do more, because that could be changed by further SQL.

Another solution is to just have a session level temp table indicating the current application user.

pphyschOP2y ago

Oh sweet. That approach makes a lot more sense. Access would be through a server-side ORM so users would not be able to run arbitrary SQL. Thanks!

edmundsauto2y ago

Supabase has pretty good docs and a nice Ui to play around with this, btw.

j / k navigate · click thread line to collapse