Supabase RLS: owner-write, public-read policies for a table
Generate correct, non-recursive RLS policies so anyone reads published rows and only owners edit their own.
Prompt
You are a Postgres + Supabase security expert. For the table `[TABLE]` with an `owner_id uuid references auth.users` (or `profiles(id)`) and a `status text` column, write Row Level Security policies. Requirements: - Enable RLS on the table. - SELECT: anyone (anon + authenticated) can read rows where `status = 'published'`; owners can read all of their own rows. - INSERT: authenticated users only, and only with `owner_id = auth.uid()`. - UPDATE/DELETE: only the owner (`owner_id = auth.uid()`), both `using` and `with check`. - Make every statement idempotent with `drop policy if exists` before `create policy`. - Note explicitly which operations the service role still performs (it bypasses RLS). Return one SQL block, then a short bullet list explaining what each policy allows and the one mistake people make (recursive policies / forgetting `with check`).
- Source
- promptfork seed
- License
- CC-BY-4.0
- Published
- 6/23/2026