Prove every user can only read their own rows - shippingszn launch readiness
Database access rules are the lock underneath your UI. Your frontend can hide another user's records, but the database or API still has to refuse the request when someone changes an ID, opens DevTools, or calls the endpoint directly.
This is the classic AI-built app data breach: the app looks private, but Supabase RLS is off, Firebase rules allow broad reads, or the server query forgets `where user_id = currentUser.id`. That is not a hack; it is an unlocked door.
Owner verification required: Database access rules must be proven against the real provider and two real users. Static code can spot hints, but it cannot prove Supabase RLS, Firebase rules, storage policies, and cross-user ownership tests all work in the deployed environment.
The Launch Fix Kit keeps scan-specific findings, file and line evidence, AI-builder punch-list tasks, and verification steps tied to the paid report.
- List every user-scoped table, collection, storage bucket, and API route that returns saved user data.
- For Supabase, enable RLS on every user-scoped table and write policies for select, insert, update, and delete. Do not ship with zero policies.
- For Firebase/Firestore, make rules deny by default and allow reads/writes only when auth.uid owns the document or has an explicit role.
- Test with two real test users: create data as User A, log in as User B, and try to read, edit, or delete User A's records through the app, the API, and any SDK/browser console path.
- Do the highest-yield check the breaches all share: with ONLY your public anon/publishable key (no login), query every user table directly — bypass your own UI. Open a console, point the Supabase/Firebase client at your project with just the public key, and try to select rows. If any row comes back, RLS is off or mis-scoped. This is the exact gap that leaked millions of records from AI-built apps; a builder's own scanner may confirm RLS 'exists' without proving it scopes rows correctly.
Run the scanner | Unlock Launch Fix Kit
Canonical URL: https://shippingszn.com/i/database-access-rules/