Permissions and RLS
Setting up permissions and access-rules is one of the primary benefits of working with Basejump. Before you begin, make sure you take a look at our account types guide to decide how you want to configure your permissions.
Roles
Basejump provides a set of roles that you can use to configure your permissions. You can also create your own roles if you need to.
owner- Owners have access to everything, including billing and inviting new usersmember- Members can access the account, but cannot invite new users or manage billing
Row Level Security
Supabase uses RLS (Row Level Security) to enforce permissions within the database. It's the reason they can allow direct access to the database without exposing sensitive data.
Basejump handles permissions on all provided tables by default, and also has tests in place to ensure no added tables are pushed without RLS enabled.
To learn more about configuring RLS policies, check out the official Supabase guide
Creating new database functions
By default, Basejump disables execution permissions on all new functions for anon, public and authenticated users. If you're creating new functions, make sure you provide access to them for the users you want.
Be mindful when granting permissions who needs to have access. For example, it's possible only authenticated users should have it, not anon
grant execute on function public.your_function(uuid) to authenticated,anon;
Creating new database permissions
We've created some convenience functions to help you enforce permissions both inside postgres and through the API. Check them out here
For example, if you want to only allow account members to view posts
create policy "Only members can view posts" on posts
for select
to authenticated
using (
account_id IN (SELECT basejump.get_accounts_for_current_user())
);
But maybe you want owners to be able to update posts
create policy "Only owners can update posts" on posts
for update
to authenticated
using (
account_id IN (SELECT basejump.get_accounts_for_current_user('owner'))
);