examples
Policy checks login, not ownership
The policy verified login but never bound rows to ownership, so attackers could scrape the table. This example breaks down what shipped, what caused it, the fix that worked, and how to apply the takeaways to your own schema.
Scenario: Policy checks login, not ownership (what happened)
A marketplace app stores all customer data in one orders table and only checks that auth.uid() exists.
What went wrong in Policy checks login, not ownership (root cause)
The policy is effectively “true for any logged-in user”, so attackers can enumerate rows for every customer.
What fixed Policy checks login, not ownership (actionable change)
Adopt backend-only access or rewrite the policy to enforce ownership and tenant membership, then test direct API access from multiple users.
Why the fix works for Policy checks login, not ownership
Ownership binding makes the authorization invariant simple: you can only see rows you own.
Takeaways you can apply
- Login checks don’t stop cross-user scraping.
- Policies must bind rows to ownership or tenancy.
- Direct API tests reveal leaks the UI hides.
- Backend-only access is safer when rules get complex.
How to map Policy checks login, not ownership to your own schema (make it concrete)
An example becomes actionable when you can point to the exact resource in your project.
- Write down the resource under test (table name, bucket name, function name).
- Write down the intended boundary in one sentence (who should be able to do what, and via which server path).
- List the client code paths that currently reach the resource (direct SDK calls, REST calls, Storage downloads, RPC calls).
- Pick one path and reproduce the risky behavior once (so you’re not guessing).
- Apply the smallest fix that enforces the boundary, then re-test the same path until it fails reliably.
This prevents the common failure mode where a fix works for one UI flow but the underlying API is still reachable directly.
How to reproduce Policy checks login, not ownership safely (so you can verify the fix)
- Identify the exact resource involved (table name, bucket name, function name).
- Attempt direct access using the same client credentials your app ships (anon/authenticated).
- Record what succeeds (status code, rows returned, file downloaded) so you can repeat the same test after fixing.
- If the example involves policies: confirm whether RLS is enabled and forced on the table.
- If the example involves Storage: test both object fetch and listing behavior (enumeration often matters).
Signals that confirm the Policy checks login, not ownership root cause
- You can access the resource without going through your UI or backend endpoint.
- Access is possible with anon/authenticated credentials even though the app implies it shouldn’t be.
- Policies/grants are broader than intended or not enforced (RLS disabled/not forced).
- The fix requires changing both configuration (grants/policies/bucket settings) and application call paths.
Verification checklist after fixing Policy checks login, not ownership
- Repeat the exact same direct access test you used for reproduction and confirm it fails (401/403).
- Confirm the app still works via backend endpoints for authorized users.
- Re-run a scan or checklist queries and confirm the exposure signal is gone.
- Check other environments (staging/prod) — drift is a common cause of “fixed in dev” failures.
Variations and edge cases for Policy checks login, not ownership
- The UI may hide a list view, but the REST endpoint can still be called directly.
- IDs and filenames are often enumerable; security should not rely on “hard to guess.”
- A fix that blocks SELECT may still leave INSERT/UPDATE exposed (or vice versa).
- Storage links can be shared or cached; signed URL TTL and bucket privacy both matter.
- RPC can bypass table policies if functions run with elevated privileges.
How to prevent Policy checks login, not ownership from coming back (drift guard)
- Add a release checklist item or CI query that flags new public grants/policies/buckets/functions.
- Keep a short runbook: what to test directly when this surface changes.
- Re-scan after migrations and after any change to auth, policies, Storage, or RPC.
What to change in your codebase after fixing Policy checks login, not ownership
Most exposure fixes fail because teams change config but keep the same client call paths.
A safer pattern is to make the authorized path explicit in server code:
- Create a backend endpoint for the operation (read/write/download/export).
- Enforce authorization in the endpoint (ownership, membership, tenancy).
- Return only the minimum necessary data (avoid overfetch).
- Update the frontend to call the backend endpoint instead of calling Supabase directly.
This turns the fix into an architectural boundary you can test and monitor.
Step-by-step remediation plan for Policy checks login, not ownership (practical)
Use this as a practical sequence you can follow without guessing:
- Identify every client code path that touches the resource (table/bucket/function).
- Implement a backend endpoint that performs the operation with explicit authorization.
- Deploy the backend endpoint first and validate it works for authorized users.
- Switch the frontend to call the backend endpoint (feature flag if needed).
- Revoke direct client access (grants, bucket settings, EXECUTE grants, broad policies).
- Run the verification checklist: direct access must fail; backend must succeed.
- Re-scan and confirm the exposure signal is gone.
- Add a drift guard so the next migration can’t silently reintroduce it.
Post-fix monitoring for Policy checks login, not ownership
- Watch for spikes in denied access after tightening permissions (it reveals missed app paths).
- Monitor Storage downloads and RPC calls for unusual patterns (automation and scraping often look different than real users).
- Re-run drift checks after migrations and environment changes so the issue doesn’t silently return.
Post-fix evidence checklist for Policy checks login, not ownership
Keep these small artifacts so a teammate can validate the boundary quickly after a migration:
- A saved pre-fix direct access request (the one that succeeded).
- The same request after the fix (must be denied).
- A note describing the authorized backend endpoint path and the authorization rule it enforces.
- A drift guard item you can run after future migrations (scan, checklist query, or release step).
This reduces the chance of silent regressions and makes incident response faster.
Related links
- Topic: Ownership-bound RLS Policies →
/examples/ownership-bound-rls-policies - Glossary: Ownership-bound RLS Policies →
/glossary/ownership-bound-rls-policies - Template: Remove over-permissive RLS policies (adopt deny-by-default) →
/templates/access-control/remove-over-permissive-policies
FAQ
How do I know if this example matches my project?
Compare your configuration to the scenario, then attempt direct API access using client credentials. If you can reproduce the behavior, the example is a strong match.
What’s the safest fix if I’m unsure?
Backend-only access is the safest default: revoke direct client privileges and route operations through server endpoints with explicit authorization.
What should I do after applying the fix?
Verify direct client access fails, confirm the app still works via backend endpoints, and re-run a scan to ensure the finding is resolved.
Next step
If you want to see whether your app has similar exposure, run a Mockly scan and compare findings to the examples here.
Explore related pages
sibling
Write policy missing WITH CHECK/examples/ownership-bound-rls-policies/write-policy-missing-with-check
sibling
Admin Panel Client-Only Auth: direct API bypass/examples/admin-panel-client-auth-only/direct-api-bypass-admin-panel-client-auth-only
cross
Remove over-permissive RLS policies (adopt deny-by-default)/templates/access-control/remove-over-permissive-policies