Given the following (simplified) tables:
users ----- id (pk) posts ----- id (pk) user_id (fk) likes ----- user_id (pk) post_id (pk)
If I run the following query to get which posts a user (?) liked:
SELECT * FROM posts p INNER JOIN likes l ON l.post_id = p.id WHERE l.user_id = ?
Would the RLS policy for SELECT on the likes table and posts table both be invoked, or would it only apply to the posts table since that is where we are SELECTing FROM? I’m under the assumptiom that it would apply for both tables, but just wanted to double check and make sure. I’m using PostgreSQL if that makes any difference.
Thanks for any help!
Advertisement
Answer
If a user doesn’t have permission to see rows in a table, that applies to the entire query, not just to the columns being returned.
Basically, the table (or rows) will be invisible to the user.