My users can see other users' data. How do I fix it?
This is the #1 bug in vibe-coded apps — it's called broken access control. In a Supabase app it's almost always a missing or incorrect Row-Level-Security (RLS) policy. The fix is one SQL migration per affected table. Do not delete your app or refund everyone first — fix the policy, then audit who accessed what.
This is the most common bug in AI-built apps, and it's also the scariest because it's a data breach the moment you confirm it. Here's the order of operations:
**1. Stop the leak first.** In Supabase, go to Authentication → disable public sign-ups temporarily. This stops new attackers from creating accounts to exploit the bug while you fix it.
**2. Find the broken policy.** In Supabase SQL editor, run this for each table with user data: ```sql SELECT tablename, policies FROM pg_policies WHERE schemaname = 'public'; ``` Look for policies that say `using (true)` or that don't reference `auth.uid()`. Those are the broken ones.
**3. Fix the policy.** For a table like `orders` with a `user_id` column: ```sql alter policy "users read own orders" on orders using (auth.uid() = user_id); ```
**4. Check who accessed what.** Supabase logs every query. Run a log search for the affected table and flag any query that returned more than 1 row when it should have returned just the user's own. Those are the accesses that should be treated as a breach.
**5. Email affected users within 72 hours.** This is legally required in most places for personal-data exposure.
Securie's scan (launching this year) will check every RLS policy in your Supabase project and flag the ones that leak. Join the early-access list and it runs on your app in week 1 — the fastest way to know you caught every case.