I have enabled RLS. Policy is, Allowed "ALL" operations with the following expression for "USING expression" and "WITH CHECK expression".
((auth.jwt() ->> 'sub'::text) = (author_user_id)::text)
I have "author_user_id" field in table as user_id of user who own that row. All records have user_id which is from each user who creating record.
When using supabase GUI, I changed role to be authenticated role to each user. I can see only records of that user correctly.
However, when using FF "Test" and login to the same user, I expected to see only record of this user similar to when using supabase. But I could see all records. I cannot delete others' records.
Is it about cache somewhere?
Is it limitation of Test Mode that it always have full permission when accessing Supabase?
Is expression above correct?
I have tried using Chrome Incognito Mode and got the same problem.
In my app, I show authenticated email and authenticated user id. Which is showing correctly.
Please kindly advise.