postgresqlsupabase

Supabase: Allow all user to insert but not to select


I set up a subscription form to allow customers to subscribe to my coming soon page while waiting to build the MVP.
I'm using Supabase to store the customer's email and name.
For security purposes, I need to set up the row level security.
The thing is that I want to allow only for people to INSERT but not to delete, read and update the data.
This is what I did but if a user doesn't have the possibility to select, he doesn't have the possibility to insert.
How can I make in sort to allow an anonymous user to INSERT but not to SELECT, DELETE or UPDATE?
I don't want someone to find the database and be able to fetch all the data.


Solution

  • To allow users to insert without giving them the possibility to anybody to fetch the data, you need to set the "Row security level" to INSERT for anon.

    CREATE POLICY "Allow user to insert" ON "public"."email_lst"
    AS PERMISSIVE FOR INSERT
    TO anon
    USING (true)
    
    

    Then you need to add the insert function into your code but without the select at the end because select is returning the created record. I commented here to show.

    const { data, error } = await _supabase
        .from('email_lst')
        .insert([ { first_name: first, last_name: last, email, remark }])
        // .select();