Never use the admin client for reads in server actions | BeforeMerge Rules | BeforeMerge

Never use the admin client for reads in server actions | BeforeMerge Rules | BeforeMerge

Why This Matters

createAdminClient() bypasses RLS — it sees all data. Using it for reads removes your safety net.

Good

export async function getRule(slug: string) {
  const supabase = await createClient()  // RLS enforced
  return supabase.from("rules").select("*").eq("slug", slug).single()
}

Bad

export async function getRule(slug: string) {
  const admin = createAdminClient()  // Bypasses RLS!
  return admin.from("rules").select("*").eq("slug", slug).single()
}