storage
storage copied to clipboard
supabase
Allow security policy to upload (upsert true), update and remove storage.objects without requiring Select permission
Feature request
Is your feature request related to a problem? Please describe.
I want to set security policies to allow the user to upload (upsert true), update and remove storage.objects, but not allowed to download. I do not want to give the Select permission which is currently required for upload (upsert true), update and remove.
Describe the solution you'd like
Please review the need for Select permission for upload (upsert true), update and remove for storage.objects.
Describe alternatives you've considered
Please tell me how to use the current security policy model to implement the use case of: Allow the user to upload (upsert true), update and remove storage.objects, but not allowed to download.
Thanks!
Hi @kk21, I have a related issue here.
Trying to understand your usecase better here. You want to users to upload objects, but not view the objects they uploaded?
Hi @kk21, I have a related issue here.
Trying to understand your usecase better here. You want to users to upload objects, but not view the objects they uploaded?
I have one upload folder for each user to upload files, and also overwrite existing files and maybe delete. These are input files e.g. csv files for processing. So there is no need to allow for download to save on download transfer charges or "misuse" as personal backup / store / distribution.
I have another download folder for each user to download files meant for each user.
BTW I have my own backend API server which uses the service key to interact with Supabase, so it can show the files uploaded by the user.
This is not currently possible with RLS, since upsert requires the record to be selected first. One way around this is to use signed upload URL's so that it won't need select permission
