Row level policies for non-SPA?

I see discussion of row-level policies on realtime SPAs in The Guide, but does it not make sense to define policies also when server-side rendering? E.g. letting secret_diary_entries only be visible if user_id = ihp_user_id() and public_profile_pages only be writable where user_id = ihp_user_id() ?

This is supported by IHP.

Check out this function:

https://ihp.digitallyinduced.com/api-docs/IHP-LoginSupport-Helper-Controller.html#v:enableRowLevelSecurityIfLoggedIn

1 Like

Aha, that’s pretty cool. Is there any reason not to enable that?

Sometimes you want to do queries that are global, e.g. let’s say you want to display the count of all users that created an account. With enableRowLevelSecurityIfLoggedIn enabled, it will always show 1 (assuming the RLS policy allows the user only to see himself).

For that there’s also IHP.ModelSupport to disable the RLS scope for a specific code block.

1 Like