I have 2 tables:
Events
Attendance
I wrote a function that gets triggered on every row insert or update in the Attendance
table, to update "Event"."attendees_count"
column by incrementing by +1 if it’s an insert, decrement by -1 if attendance status was updated to "cancel" (means he will not join event).
How do I write a policy to allow update of "events"."attendees_count"
for all authenticated users even if he’s not the one who created the event, but at the same time prevent other column changes if he’s not the one who create the event
For example this for self event update policy =>
create policy "Enable update activity" on "public"."events" as permissive
for update
to authenticated using ((auth.uid () = created_by))
with
check ((auth.uid () = created_by));
2
Answers
How i make it.
Explaining the problem
I want to increment a column on every INSERT or UPDATE to another table Attendance. so I permitted user to update his event details but I couldn't find a way to allow only one column update for the rest of the users. even from UI I prevent updating others events records still exposing a vulnerability by any authenticated can update any event
The hack
I keep policy for authenticated role to update only the events you create:
on top of that, I move my function from the scoop of authenticated users to postgres (every time a function is triggered it comes with the current user scoop)
Events
to allowUPDATE
with a role ofpostgres
:with SQL Editor run
Create a new schema I call it Daemon
Create function update_event_attendees_count in schema Daemon that will be triggered on every INSERT or UPDATE in Attendance Table
You can define The owner of the Trigger. And Set the privilleges for the triggers separately.
Details are well defined in this answer