-
-
Notifications
You must be signed in to change notification settings - Fork 116
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make Storage API consistent and more useful #210
Comments
@activenode Hello! Here are some of my thoughts regarding your suggestions:
The way i'll go about solving your concern would be to create a view over the object table and only include the fields that you want to expose to your clients (with appropriate RLS policies) for example, the view could be called |
1 + 2. Thanks, that would be nice |
1 + 2 + 3 . 🎉 Will keep you posted
We are discussing this internally to see if we can find a clean way to blacklist certain columns depending on the user For now, one solution that is not as great in my perspective is to create a brand new table ex: then you'll use this However, if we take a step back, we could reconsider the fact that In the We will probably deprecate the |
Just received this link from our postgres team and they've told me that custom RLS on views are already available in PostgreSQL 15!! https://www.depesz.com/2022/03/22/waiting-for-postgresql-15-add-support-for-security-invoker-views/ So the idea behind custom view with their own RLS policies will be possible as soon as we offer the upgrade to PG15 at Supabase in the meantime, I've got on hold for next week to have a workaround shared to achieve the same with PG 13-14!! |
Thanks, valid points mentioned, happy to hear about the RLS on Views, very much excited for that one. I've seen and read that exact same article and am happy to see the upgrade to PG15. 🙌 |
One additional note: I am still trying to understand the thought processes behind the storage architecture. The Hence: In common CDN cases other users cannot "simply guess" files from other users. However with supabase you don't have to guess because if the storage bucket is public then you can call This part I don't understand. What's the use-case? Now for my client project I have a login. The login MUST have the anon key obviously. That means users with no access to the system could call Now you could argue: "Well then don't make it public" but that is not a good option as well because the only way to currently deliver files from a private bucket is creating a signed url. I'd expected that Or in other words:
|
Take all of this with a grain of salt I might have something misconfigured and I'm questioning if what I said is true, if any. But is there a good description on the docs what is accessible with a public bucket and what not? Though still would love to see something like |
Okay once more: I understood that if you do not have the select rights you cannot list the files in the bucket - which conceptually was hard to understand since the Policies imply that access to a bucket mean access to download/list etc. but apparently you can also give public buckets select rights such that everyone will still able to download but not everyone can list, correct? |
Hi, @fenos I stumbled on this issue while looking for why the Thanks |
Any update on the response type returns update? I agree that having the full path requires us to parse the path into its useful parts since many operations rely on the bucket and "subpath." Also some operations do not return the ID of the changes object, just return a generic "success" message with no context. This is particularly useful since many Storage API functions work based on path and not ID, so getting a reference to the modified ID is required. |
Feature request
Problem(s)
Currently when uploading via
supabaseClient.storage.from(bucket).upload(filePath, file)
the result is theKey
which seems to beKey = $bucket/$path
which quite honestly is extremely unhelpful. Why not return an object like{ bucket_id, path, id }
? Especially since I couldn't find anything related to thisKey
- it's not a primary key as to my knowledgeWhen deleting objects via
storage.from...remove
we actually do get a proper result returned (even though that's weird because for deletion I would only expect aminimal
version, e.g.deletionCount
or just the{id}
or a boolean. -> hence: inconsistent as compared to my first point and not really easy to follow up to.The storage functions should be properly documented, not just being samples in the Templates (like
storage.foldername(objects.name)
)This last one is an architectural question / issue: i feel like the objects table is holding too much of information considering the fact that someone who "simply should be able to view an image" shouldn't be able to retrieve the
created_at
ormetadata
column necessarily. That might be none of their business, also especially looking atowner
andlast_accessed_at
-> have you thought about making theobjects
table more minimal likeid, bucket, name
and having a related table with the other data to separate concerns?The text was updated successfully, but these errors were encountered: