supabase
Correct Rationale explanation for 0013 RLS disabled in public
Improve documentation
Link
https://supabase.com/docs/guides/database/database-advisors?lint=0013_rls_disabled_in_public
Describe the problem
The doc says
If row level security (RLS) is not enabled on a public table, anyone with the project's URL can CREATE/READ/UPDATE/DELETE (CRUD) rows in the impacted table
If our understanding is correct, that is only true if one has shared the API key publicly.
In our case, we don't use the API, we only connect to the database from our server using Supavisor's database string. No one is connecting to the database from their browser, the API key is not shared publicly.
Thus it seems that it is not true in our case that "anyone with the project's URL can CRUD rows".
We understand that the linter cannot know whether we have shared the API key publicly or not, but it seems to us that the doc should be more precise, so that people don't get confused.
Describe the improvement
You could add a precision in a colored frame, that mentions that it is not the case if the API key is never shared, but then one should be sure of this. This precision could mention that in that case public can be removed from the "exposed schemas" settings of the API, to make the error disappear.
Additional context
https://github.com/orgs/supabase/discussions/26584
