Feature Preview: RLS Tester

Verify the correctness of your RLS policies with the RLS tester

<img width="700" alt="rls-tester-preview" src="https://github.com/user-attachments/assets/4401e8ff-9d84-40ed-a47c-a6679ac40319" />

Verifying the correctness of your RLS policies set up has always been a gap, as highlighted by a number of GitHub discussions like here and here. As such, we're piloting a dedicated UI for RLS testing (using role impersonation as the base), in which you'll be able to

• Run a SQL query as a user (not logged in / logged in - this is the role impersonation part)
• See which RLS policies are being evaluated as part of the query
• And hopefully be able to debug which policies are not set up correctly
• (Side note) We also added partial support for testing client library code instead of just SQL
  • This is powered by the AI Assistant which will then infer the code into SQL
  • e.g const { data } = await client.from('colors').select('*')
  • Given that this is by AI, as always do verify the output!

Note: Only SELECT queries are supported for now to simplify things. Testing mutation queries (INSERT, UPDATE, DELETE) could trigger side effects such as triggering a database trigger, especially if it involves an external request such as an edge function or HTTP call - we're keeping them out of this preview while we work out a safe way to support them.

Changes are currently set as a feature preview which you can access by clicking on your Profile picture in the top navigation bar . We'll iterate as we get feedback from everyone so please do let us know what you think! 🙂🙏

Related PR: https://github.com/supabase/supabase/pull/45121

What we'd like to know from you

• Any bugs or issues that you might have run into while using the RLS tester
• Any ideas or suggestions that you reckon will improve the DX based on how you currently verify the correctness of your RLS policies
• Feel free to leave any feedback in this thread too! (Both good and bad!) 🙂🙏