0

Given the following (simplified) tables:

users
-----
id (pk)

posts
-----
id (pk)
user_id (fk)

likes
-----
user_id (pk)
post_id (pk)

If I run the following query to get which posts a user (?) liked:

SELECT *
FROM posts p
INNER JOIN likes l
ON l.post_id = p.id
WHERE l.user_id = ?

Would the RLS policy for SELECT on the likes table and posts table both be invoked, or would it only apply to the posts table since that is where we are SELECTing FROM? I'm under the assumptiom that it would apply for both tables, but just wanted to double check and make sure. I'm using PostgreSQL if that makes any difference.

Thanks for any help!

bryan-vh
  • 151
  • 1
  • 9

1 Answers1

2

If a user doesn't have permission to see rows in a table, that applies to the entire query, not just to the columns being returned.

Basically, the table (or rows) will be invisible to the user.

Gordon Linoff
  • 1,242,037
  • 58
  • 646
  • 786
  • So if I don't have permission to view the rows in the party table it won't matter that I could see the like(s) in the likes table? And vice versa? – bryan-vh Jun 17 '21 at 01:22
  • 1
    @bryan-vh . . . Security controls "visibility". If the user cannot "see" the row, it is invisible to the query. You can see the rows in `like`s but there will be nothing to join it to. – Gordon Linoff Jun 17 '21 at 01:46