RLS policy testing patterns for Supabase - automated test cases for Row Level Security enforcement, user isolation verification, multi-tenant security, and comprehensive security audit scripts. Use when testing RLS policies, validating user isolation, auditing Supabase security, verifying tenant isolation, testing row level security, running security tests, or when user mentions RLS testing, security validation, policy testing, or data leak prevention.
View on GitHubFebruary 1, 2026
Select agents to install to:
npx add-skill https://github.com/vanman2024/ai-dev-marketplace/blob/main/plugins/supabase/skills/rls-test-patterns/SKILL.md -a claude-code --skill rls-test-patternsInstallation paths:
.claude/skills/rls-test-patterns/# RLS Test Patterns Comprehensive testing framework for Row Level Security (RLS) policies in Supabase. Catch security vulnerabilities before production with automated tests for user isolation, multi-tenant security, role-based access, and anonymous user restrictions. ## Instructions ### 1. Test User Isolation **Verify users can only access their own data:** ```bash # Test user isolation on specific tables bash scripts/test-user-isolation.sh conversations messages profiles # Test with specific user IDs bash scripts/test-user-isolation.sh documents --user1 "uuid1" --user2 "uuid2" # Generate detailed report bash scripts/test-user-isolation.sh --all --report isolation-report.md ``` **What it tests:** - User A cannot read User B's data - User A cannot modify/delete User B's data - User A can only insert data owned by themselves - Null user_id values are properly rejected ### 2. Test Multi-Tenant Isolation **Verify organization/team data separation:** ```bash # Test organization isolation bash scripts/test-multi-tenant-isolation.sh organizations projects documents # Test with specific org IDs bash scripts/test-multi-tenant-isolation.sh --org1 "org-uuid-1" --org2 "org-uuid-2" # Test member access patterns bash scripts/test-multi-tenant-isolation.sh --test-members ``` **What it tests:** - Org A members cannot access Org B's data - Users not in an org cannot access org data - Removing user from org revokes access immediately - Shared resources respect org boundaries ### 3. Test Role-Based Permissions **Verify role-based access control:** ```bash # Test RBAC policies bash scripts/test-role-permissions.sh admin_panel sensitive_data # Test specific role hierarchy bash scripts/test-role-permissions.sh --roles "admin,editor,viewer" # Test permission escalation prevention bash scripts/test-role-permissions.sh --test-escalation ``` **What it tests:** - Admin role has full access - Editor role can read/write but not delete - Viewer role has read-only access - Users