Skip to content

Policy Exists RLS Disabled

Level: INFO

Rationale

In Postgres, Row Level Security (RLS) policies control access to rows in a table based on the executing user. Policies can be created, but will not be enforced until the table is updated to enable row level security. Failing to enable row level security is a common misconfiguration that can lead to data leaks.

How to Resolve

To enable existing policies on a table execute:

1
alter table <schema>.<table> enable row level security;

Example

Given the schema:

1
2
3
4
5
6
7
8
9
create table public.blog(
    id int primary key,
    user_id uuid not null,
    title text not null
);

create policy select_own_posts on public.blog
    for select
    using ((select auth.uid()) = user_id);

A user may incorrectly believe that their policies are being applied. Before the policies will take effect, we first must enable row level security on the underlying table.

1
alter table public.blog enable row level security;