Permissions denied for table using API but works with SupabaseClient

[jperestrelo]

Bug report

Describe the bug

When trying to access data from some API endpoints, like this: /rest/v1/leads?select=* I get this error:

{
    "message": "permission denied for table leads",
    "code": "42501",
    "hint": null,
    "details": null
}

when doing the same using JS client like this:

const { data, error } = await supabase
            .from('leads')
            .select()

I successfully get the data. Although enabling or disabling RLS has no impact.

I'm using the same anon API key in both situations.

To Reproduce

I am creating these tables using the following function:

BEGIN
EXECUTE format('
      CREATE TABLE IF NOT EXISTS %I (
       id serial PRIMARY KEY,
       created_at date default current_timestamp
      )', my_table);

EXECUTE format('
      ALTER TABLE %I ENABLE ROW LEVEL SECURITY;
', my_table);    

END

I tried to enable and disable RLS from UI and from SQL editor but didn't change anything.
I also tried to use the service role KEY when using API, but the same error above showed.

When creating the tables from the UI, everything seems to work as intended.

Expected behavior

I was expecting to be able to create tables programmatically from the client-side so I'm trying to do it using functions.
I'm using the function like this:

 const { data, error } = await supabase
            .rpc('create_table', { my_table: table_name })

Am I missing something?

[jperestrelo]

Update
I think I understand what's going on... when creating from the admin UI it creates a set of privileges on the table. While my function is not doing it.

So I'm guessing that there is a lot going on under the hood when creating a table from the UI. There is any recommended way that I can create a table using functions and maintain the same functionalities as if it was being created in the UI?

Thanks

[stephanbogner]

I am not sure if my issue is related:
Even if I disable RLS I can't update a row on a certain table. On other tables it works perfectly.

I am using:

const { data, error } = await supabase
  .from(tableName)
  .update(newRowData)
  .eq(columnName, columnValueAtRow)
  
  if (error) {
      console.error(error);
  }
  return { data, error }

I always get:
{message: 'permission denied for table http_request_queue', code: '42501', hint: null, details: null}

The weird thing is:
I am pretty sure it worked before the holidays. In the meantime my instance got paused due to inactivity, but not sure if that causes the issue.

Before I was using 1.2.1 but with 1.29.1 it's the same result.

[stephanbogner]

Ok ... very weird. I even get this error if I try to edit the data in the UI:

[tilmann]

I ran in the same error. (permission denied for table http_request_queue)

My finding: It seems to be connected with the functions hooks ALPHA. After removing the hooks for the table that throws the error an insert was possible again.

Adding the hook again leads to the same error.

My instance was paused due to the holidays as well.

Any ideas except setting up a new instance?

[dragarcia]

Hi guys 👋

If you guys haven't, would you mind sending over a ticket specifying the affected project over at https://app.supabase.io/support/new, and we'll take a closer look at each one from there.

Thanks!

[stephanbogner]

I ran in the same error. (permission denied for table http_request_queue)

My finding: It seems to be connected with the functions hooks ALPHA. After removing the hooks for the table that throws the error an insert was possible again.

Adding the hook again leads to the same error.

My instance was paused due to the holidays as well.

Any ideas except setting up a new instance?

Ahhh! Why didn't I think of that?! I can confirm the behaviour:
If I delete the function hook (which is a post-request on insert and update) then I can edit values in the table again. But if I re-add the hook it won't work. Exactly as @tilmann described.

[darora]

Hey folks-as a quick update: we've isolated the cause of the issue as an unfortunate interaction between the pause/restore and the mechanism used to enable function hooks via pg_net. We'll be working on both fixing this for the future, and posting a retroactive fix that you will be able to apply to your projects.

[stephanbogner]

@darora
Thanks for the update and your investigation! 👍

[w3b6x9]

hello everyone!

posting a retroactive fix that you will be able to apply to your projects

if you're currently blocked please run the following in your Supabase SQL editor:

GRANT USAGE ON SCHEMA net TO supabase_functions_admin, postgres, anon, authenticated, service_role, dashboard_user;

ALTER function net.http_get(url text, params jsonb, headers jsonb, timeout_milliseconds integer) SECURITY DEFINER;
ALTER function net.http_post(url text, body jsonb, params jsonb, headers jsonb, timeout_milliseconds integer) SECURITY DEFINER;
ALTER function net.http_collect_response(request_id bigint, async boolean) SECURITY DEFINER;

REVOKE ALL ON FUNCTION net.http_get(url text, params jsonb, headers jsonb, timeout_milliseconds integer) FROM PUBLIC;
REVOKE ALL ON FUNCTION net.http_post(url text, body jsonb, params jsonb, headers jsonb, timeout_milliseconds integer) FROM PUBLIC;
REVOKE ALL ON FUNCTION net.http_collect_response(request_id bigint, async boolean) FROM PUBLIC;

GRANT EXECUTE ON FUNCTION net.http_get(url text, params jsonb, headers jsonb, timeout_milliseconds integer) TO supabase_functions_admin, postgres, anon, authenticated, service_role, dashboard_user;
GRANT EXECUTE ON FUNCTION net.http_post(url text, body jsonb, params jsonb, headers jsonb, timeout_milliseconds integer) TO supabase_functions_admin, postgres, anon, authenticated, service_role, dashboard_user;
GRANT EXECUTE ON FUNCTION net.http_collect_response(request_id bigint, async boolean) TO supabase_functions_admin, postgres, anon, authenticated, service_role, dashboard_user;

[tilmann]

🙏 Thanks. That solved the problem for me!

[stephanbogner]

Looks good on my end too 🎉
Thanks ❤️

[jdahdah]

@w3b6x9 Thank you, this solved the issue for me. FYI this happened somewhere along following the lessons in your Egghead course. In lesson 24 I decided to delete the test user and signing up again was no longer possible. But my project has been paused once since I started the course so I guess it's more related to that than something instructed in the course?

[dstroot]

1. @w3b6x9 your fix works! Kudos.
2. This definitely happens after your project is paused (and you have hooks in place I think)

[w3b6x9]

@w3b6x9 Thank you, this solved the issue for me. FYI this happened somewhere along following the lessons in your Egghead course. In lesson 24 I decided to delete the test user and signing up again was no longer possible. But my project has been paused once since I started the course so I guess it's more related to that than something instructed in the course?

@jdahdah Sorry, completely missed your comment. I'll have the team look into this and report back here! There was another user who ran into the same issue and I'm trying to confirm now whether their project was also paused at one point.

[jwright04]

The comment left by @w3b6x9 solved the issue for me although I still see errors when logging in/out specifically
TypeError: destroy is not a function. If I refresh the page and login again, i still see the error, but i'm redirect back to my success page. It's worth noting this is happening on my localhost, I haven't tried deploying yet.

[GaryAustin1]

A user on Discord, following one of the guides for setting up Stripe with an auth trigger to a profile table and then a function hook seems to be encountering this issue. After following the chain of debugging their trigger function and table set up finally they found the error in the logs, which I had seen here. "permission denied for table http_request_queue"

I've asked them to contact support, unless they feel comfortable running the suggested SQL. https://discord.com/channels/839993398554656828/986571085724139550
This is a pretty "random" and nasty bug to have floating about, especially for beginning users following a guide.

[oalbacha]

I ran the suggested SQL and I can sign in but noticed some changes to my RLS policy. Make sure to review your policies after running the suggested SQL

[GaryAustin1]

@oalbacha If you are creating users again, then you are on to some other issues in your code/setup. Probably best to ask in Discord or Github/Discussions here with details.

[julandev]

hello everyone!

posting a retroactive fix that you will be able to apply to your projects

if you're currently blocked please run the following in your Supabase SQL editor:

GRANT USAGE ON SCHEMA net TO supabase_functions_admin, postgres, anon, authenticated, service_role, dashboard_user;

ALTER function net.http_get(url text, params jsonb, headers jsonb, timeout_milliseconds integer) SECURITY DEFINER;
ALTER function net.http_post(url text, body jsonb, params jsonb, headers jsonb, timeout_milliseconds integer) SECURITY DEFINER;
ALTER function net.http_collect_response(request_id bigint, async boolean) SECURITY DEFINER;

REVOKE ALL ON FUNCTION net.http_get(url text, params jsonb, headers jsonb, timeout_milliseconds integer) FROM PUBLIC;
REVOKE ALL ON FUNCTION net.http_post(url text, body jsonb, params jsonb, headers jsonb, timeout_milliseconds integer) FROM PUBLIC;
REVOKE ALL ON FUNCTION net.http_collect_response(request_id bigint, async boolean) FROM PUBLIC;

GRANT EXECUTE ON FUNCTION net.http_get(url text, params jsonb, headers jsonb, timeout_milliseconds integer) TO supabase_functions_admin, postgres, anon, authenticated, service_role, dashboard_user;
GRANT EXECUTE ON FUNCTION net.http_post(url text, body jsonb, params jsonb, headers jsonb, timeout_milliseconds integer) TO supabase_functions_admin, postgres, anon, authenticated, service_role, dashboard_user;
GRANT EXECUTE ON FUNCTION net.http_collect_response(request_id bigint, async boolean) TO supabase_functions_admin, postgres, anon, authenticated, service_role, dashboard_user;

I ran this code in the editor and since then, I have been unable to create new users. Also, I keep getting a type error: destroy is not a function.

As I do not know how to rollback the code , I deleted my projects and organizations and created new ones hoping it would make a difference. It didnt.

Then I created a new supabase account and I am still getting the errors. Is there any other thing I can do?

[rrakso]

Every time I try to make a request POST 'https://<id>.supabase.co/rest/v1/<table_name>' I get permission denied for table <table_name> (the state of the RLS doesn't matter, always the same result...), but once I created a whole new project, then I was able to create new records.

Does anyone know what could be the cause of this strange behavior?

---

PS

The problem persists even when I create the new table using UI (website) (the rest of the tables are created using SQL queries).

EDIT

I checked it with Supabase JS client - same result (even if service key was provided...) (also I didn't test the solution from this comment - too risky on this dataset 😅)

EDIT2

Pause/Restart? Nothing helped...

lastEDIT

I found it! The cause of my problem... Maybe someone will find my "discovery" as useful.
So while developing, I cleared the Postgres with SQL query from this response, and then I filled "public schema" with proper data - so everything was working EXCEPT the JS library and REST requests.
So with "fresh" project REST/client are working fine! After dropping all the data 😐 it breaks - and if I want to fix it back, then (I think) the only solution is to create a new project.

SQL query used to drop all :)

DROP SCHEMA public CASCADE;
CREATE SCHEMA public;

GRANT ALL ON SCHEMA public TO postgres;
GRANT ALL ON SCHEMA public TO public;

[Maikpwwq]

This help me solve that error, In my supabase table config I visit View Policies

Then I added two instances of New Policy, for the Select and Insert methods respectively

[prithvi2k2]

This help me solve that error, In my supabase table config I visit View Policies Then I added two instances of New Policy, for the Select and Insert methods respectively

Is this secure - what does give access to public exactly mean, like anyone without supabase keys/urls can access the db?

[johnsimeroth]

lastEDIT

I found it! The cause of my problem... Maybe someone will find my "discovery" as useful. So while developing, I cleared the Postgres with SQL query from this response, and then I filled "public schema" with proper data - so everything was working EXCEPT the JS library and REST requests. So with "fresh" project REST/client are working fine! After dropping all the data 😐 it breaks - and if I want to fix it back, then (I think) the only solution is to create a new project.

SQL query used to drop all :)

DROP SCHEMA public CASCADE;
CREATE SCHEMA public;

GRANT ALL ON SCHEMA public TO postgres;
GRANT ALL ON SCHEMA public TO public;

This was it for me as well. Thank you for sharing. New project solved it. Would love to know if there's an alternative that doesn't require a new project in the future!

[nahtnam]

The SQL queries in this thread did not help, but turning the pg_net extension off and on fixed it for me

[HanLok420]

The SQL queries in this thread did not help, but turning the pg_net extension off and on fixed it for me

How did you do this?

[nahtnam]

The SQL queries in this thread did not help, but turning the pg_net extension off and on fixed it for me

How did you do this?

In the left menu bar, go to database, then extensions, then look for pg_net

[HanLok420]

The SQL queries in this thread did not help, but turning the pg_net extension off and on fixed it for me

How did you do this?

In the left menu bar, go to database, then extensions, then look for pg_net

Thank you, that did not work for me either. :(
The support is on it hopefully they find a way to solve it soon. I'll let you know.

[emileond]

The SQL queries in this thread did not help, but turning the pg_net extension off and on fixed it for me

Thanks, this worked for me. I got the issue after upgrading postgresql version from the admin UI.

[henriquegdantas]

Just got this after updating from 15.1.1.9 to 15.1.1.13 via the Admin UI. Disabling and reenabling the pg_net solved it.

[stanifert]

Just got this after updating from 15.1.1.9 to 15.1.1.13 via the Admin UI. Disabling and reenabling the pg_net solved it.

Ditto!

[ryonwhyte]

@nahtnam Thank you for your comment. Saved me from deleting my entire database

[caipicoder]

same here:

got this after updating via the Admin UI.
Disabling and reenabling the pg_net solved it

Thanks a lot @nahtnam !

[EricStrohmaier]

Just got this after updating from 15.1.1.9 to 15.1.1.13 via the Admin UI. Disabling and reenabling the pg_net solved it.

how did you update the version via Admin Ui?? cant find that option

[GaryAustin1]

@EricStrohmaier Go to the infrastructure tab in settings.