I have some tables that I don’t want users to access directly through the default table APIs. Access should happen only via RPC functions, which are called internally by my system.
I tried using REVOKE ALL on the tables, but when I do that, Row Level Security (RLS) stops working, which breaks my permission logic.
Does anyone know the correct way to:
Block direct access to tables
Keep RLS enabled and working
Allow access only through RPC functions?
The user wants to restrict direct access to certain tables, allowing access only through RPC functions while keeping Row Level Security (RLS) enabled. They attempted to use REVOKE ALL, but it disabled RLS, breaking their permission logic. They seek a solution to block direct table access while maintaining RLS and allowing RPC access.
You could remove public from the API schemas and put your functions in another schema that is added to the API. I'm assuming you really mean rpc versus SQL database connections calling a postgres function.
There is also a pre-function that postgres runs that can tell a call is a function and potential error on everything else. https://supabase.com/docs/guides/api/securing-your-api