Hi,
As mentioned in the article, the problem is with the real-time engine. When a user signs in using the built-in auth system, he gets his own key with row-level permissions. However, this key is not used for the web sockets enabling the real-time engine. For that reason, this same user can listen for real-time changes in the rows of other users. The team behind Supabase promises this is their next feature, we'll have to wait and see.
Hi,
As mentioned in the article, the problem is with the real-time engine. When a user signs in using the built-in auth system, he gets his own key with row-level permissions. However, this key is not used for the web sockets enabling the real-time engine. For that reason, this same user can listen for real-time changes in the rows of other users. The team behind Supabase promises this is their next feature, we'll have to wait and see.
ah I see. that wasn't obvious in the initial reading. thanks,