CRITICALSecuritysmallPostgreSQL

RLS Disabled on Public Tables

Tables in the public schema without Row Level Security allow unrestricted access through the API.

Why This Matters

Any table in the public schema without RLS is directly accessible via the PostgREST API, exposing all rows to any authenticated or anonymous user.

Related Rules

Unindexed Foreign Keys

Performance

HIGH

Auth Users Table Exposed to API

Security

CRITICAL

Create Indexes Concurrently

Performance

HIGH

Add NOT NULL Constraint Safely

Performance

HIGH

Catch this automatically on every PR

BeforeMerge scans your pull requests against this rule and 4+ others. Get actionable feedback before code ships.

Join Waitlist Browse All Rules

Why This Matters

When a table in the public schema has RLS disabled, every row is accessible through the API. This is the #1 security issue found by Supabase's splinter linter.

Detection

Run the Supabase splinter linter:

-- From splinter.sql, lint 0013
SELECT schemaname, tablename
FROM pg_tables
WHERE schemaname = 'public'
  AND tablename NOT IN (
    SELECT tablename FROM pg_tables t
    JOIN pg_class c ON c.relname = t.tablename
    WHERE c.relrowsecurity = true
  );

Or use the Supabase Dashboard → Database → Linter.

Fix

ALTER TABLE public.your_table ENABLE ROW LEVEL SECURITY;
 
-- Then add appropriate policies
CREATE POLICY "authenticated_read" ON public.your_table
  FOR SELECT USING (auth.uid() IS NOT NULL);

Tools

Splinter lint 0013 (rls_disabled_in_public)
Supabase Dashboard → Database → Linter

RLS Disabled on Public Tables

Why This Matters

Tags

Related Rules

Catch this automatically on every PR

Why This Matters

Detection

Fix

Tools