Verify the correctness of your RLS policies with the RLS tester#
Verifying the correctness of your RLS policies set up has always been a gap, as highlighted by a number of GitHub discussions like here and here. As such, we're piloting a dedicated UI for RLS testing (using role impersonation as the base), in which you'll be able to
- Run a SQL query as a user (not logged in / logged in - this is the role impersonation part)
- See which RLS policies are being evaluated as part of the query
- And hopefully be able to debug which policies are not set up correctly
- (Side note) We also added partial support for testing client library code instead of just SQL
- This is powered by the AI Assistant which will then infer the code into SQL
- e.g
const { data } = await client.from('colors').select('*') - Given that this is by AI, as always do verify the output!
Note: Only SELECT queries are supported for now to simplify things. Testing mutation queries (INSERT, UPDATE, DELETE) could trigger side effects such as triggering a database trigger, especially if it involves an external request such as an edge function or HTTP call - we're keeping them out of this preview while we work out a safe way to support them.
Changes are currently set as a feature preview which you can access by clicking on your Profile picture in the top navigation bar . We'll iterate as we get feedback from everyone so please do let us know what you think! ๐๐
Related PR: https://github.com/supabase/supabase/pull/45121
What we'd like to know from you#
- Any bugs or issues that you might have run into while using the RLS tester
- Any ideas or suggestions that you reckon will improve the DX based on how you currently verify the correctness of your RLS policies
- Feel free to leave any feedback in this thread too! (Both good and bad!) ๐๐