Fix guide · high · rls_policy_not_working

Supabase RLS policy isn't blocking unauthorized reads

Why it matters

A policy with the wrong USING clause, missing WITH CHECK, or the wrong role grant gives the same result as no policy at all.

How to fix it

The seven reasons RLS appears to fail:

1. You're using the service_role key — bypasses RLS. Check the JWT payload's role claim.
2. USING (true) — equivalent to no policy. Replace with a real predicate.
3. Missing WITH CHECK on writes — INSERT/UPDATE policies need both.
4. FOR ALL instead of separate FOR SELECT/INSERT/UPDATE/DELETE — the predicate must make sense for all four.
5. Wrong role grant — TO authenticated vs TO anon matters.
6. auth.uid() returns NULL — happens when there's no session.
7. Multiple policies OR together — if any matches, access is granted.

Did vibecheck flag this on your app?

If you reached this page from a vibecheck inspection report, the redacted match in your scan output is the exact string we found in your bundle. After applying the fix above, run the inspection again — the finding should clear.