>VIBECODEWALL
methodresultsprointel[login]
|
[scan]
/blog/article
Security/2026-07-11/4 min

How to make sure each person only sees their own app data

If your AI-built app has accounts, saved records, messages, bookings, or payments, a sign-in screen is not enough. You also need rules that keep each person inside their own data.

read in Portuguese

before you start

When different people use the same app, each person should only see and change what belongs to them.

What this means in real life

in plain words

If two people use your app, each one should only see their own saved information. A sign-in screen by itself does not guarantee that.

Think about an app with notes, bookings, invoices, messages, health details, customer information, or payment history. A person signs in and expects to see only their own information. If your app accidentally shows another person's records, or lets someone change or delete another account's data, the problem is not just confusion. It is a real safety failure for a multi-user app.

The simple idea comes first: every saved item must be connected to the right person, and your app must check that connection every time it shows, creates, changes, or removes data. In Supabase, the technical name is Row Level Security. Developers often shorten that to RLS. You do not need to start with the term. Start with the outcome you want: one person should stay inside their own records, not everyone else's.

  • ▸A sign-in screen tells the app who the person is.
  • ▸Separate rules decide which records that person can open or change.

common risk

A customer signs in to a notes app and sees another customer's notes because the app loaded every saved note instead of only that person's notes.

what to do now

Open your app with a normal test account and check every list, detail page, dashboard, and search result for information that does not belong to that account.

ask your AI

Review this Supabase app for user-by-user data separation. Show me every place where a signed-in person can view, create, edit, or delete records. For each place, explain in plain language how the app makes sure the person can only access their own data. If any area is missing protection, fix it and tell me exactly what changed.

Why it matters for your app

in plain words

People trust your app with their information. If records mix together, that trust breaks fast.

Many beginners think the danger starts only when an app handles bank cards or medical data. But even a simple app can expose customer information, home addresses, phone numbers, private notes, booking times, uploaded files, or order history. If one user can see another user's information, the app feels broken immediately. If one user can edit or delete another user's records, the damage becomes even bigger because information can be changed or lost.

This is why Supabase includes row-by-row protection rules. The technical name is Row Level Security. These rules are meant to check each saved row of data and ask, in effect, does this row belong to the current person? If yes, allow it. If not, block it. That protection matters on every screen and every action, not only on the first page after sign-in. It also matters over time, because a new feature can quietly skip the rules you thought were already covering everything.

  • ▸The risk includes customer information, messages, orders, files, and profile details.
  • ▸A new feature can break separation even if older screens worked correctly.

common risk

A booking app correctly hides the main booking list, but a newly added details page still shows another person's booking when the wrong account opens it.

what to do now

List the kinds of information your app stores for each person, then verify that every kind of record is separated by user, not only the most important screen.

ask your AI

Make a complete map of all user-owned information in this app, including messages, profiles, bookings, orders, files, and notes. For each table, explain whether Supabase Row Level Security is protecting it, what the ownership field is, and whether any screen might still show the wrong person's data.

A common risk beginners miss

in plain words

The most common mistake is protecting what people can see, but forgetting to protect what they can change or remove.

A beginner often tests the happy path: sign in, open the dashboard, and confirm it looks right. But problems often appear in the less obvious places. Maybe the list page is filtered correctly, but the edit action trusts a record number from the page. Maybe a delete button works on an item that belongs to another account. Maybe a new table was added for comments or uploaded files, but no owner link was saved with each row. In all of these cases, the app can mix data between people even though the main screen looked fine.

The practical rule is simple: every user-owned record should carry a clear owner link, usually the signed-in user's ID. Then every read, insert, update, and delete should check that owner link. The technical names are read, insert, update, and delete rules inside Row Level Security. If you use an AI builder, ask it to show those checks one by one. You are not looking for fancy wording. You are looking for proof that one person's account cannot touch another person's row.

  • ▸Protect viewing, creating, editing, and deleting separately.
  • ▸Make sure each record stores who it belongs to.

common risk

A user cannot see another person's project list, but can still delete that person's project by opening a saved direct page address.

what to do now

Create two test accounts, add sample data to both, and test viewing, creating, editing, and deleting from each account one by one.

ask your AI

Check every Supabase table that stores user-owned records. Confirm each record has an owner field linked to the signed-in user, and add or fix Row Level Security rules for viewing, creating, editing, and deleting so one user cannot affect another user's rows. Then give me a simple two-account test plan I can follow.

What to do now

in plain words

You need a short repeat process: check ownership, confirm the rules exist, keep passwords and payment keys out of public files, and retest after every change.

Start with the data tables. Find every table that stores information for individual users. Confirm each row has a clear owner field. Then ask your AI builder where Supabase is enforcing row-by-row checks. After that, test with two accounts. User A should only see A's records. User B should only see B's records. Each one should only be able to create, edit, and delete their own rows. This is the fastest practical check for whether your app is respecting user boundaries.

While you are doing that review, also check where your app stores passwords, payment keys, and access codes. Those should not appear in browser-delivered files or public screens. VibeCodeWall does not look inside your private code. It checks the public app from the outside and watches for important changes over time, which helps you catch exposures that become visible after updates. That does not replace your own user-by-user data tests. It works best alongside them as a repeat habit after every app change.

  • ▸Use two test accounts every time you add a new screen or table.
  • ▸Keep passwords, payment keys, and access codes out of anything visitors can download.

common risk

After adding a new profile table, the app starts showing all profiles because that table never got row-by-row rules, and no one retested with a second account.

what to do now

Run a two-account test today, ask your AI builder to show the row-by-row rules on every user table, and repeat the same check after each update.

ask your AI

Audit this app for Supabase Row Level Security and beginner-safe data separation. 1) List every table that stores user-owned data. 2) Show the owner field for each table. 3) Show the read, insert, update, and delete rules for each table in plain language. 4) Fix any table where a signed-in user could access another person's rows. 5) Check that passwords, payment keys, and access codes are not sent to browser-delivered files. 6) Give me exact steps to retest with two accounts after every change.

Quick checklist

  1. 01Sign in with two different test accounts and confirm each one only sees its own records.
  2. 02Open saved pages, orders, messages, profiles, or bookings with the other test account and check what appears.
  3. 03Make sure every user-owned record has a clear owner field tied to the signed-in person.
  4. 04Confirm create, edit, and delete actions only work for the current person's own items.
  5. 05Check that passwords, payment keys, and access codes are kept out of files visitors can download.
  6. 06Review any admin area and make sure it is separate from the normal user experience.
  7. 07Ask your AI builder to show exactly where user-by-user data rules are defined and tested.
  8. 08Repeat the same checks after every new screen, feature, or table.

FAQ

Is a sign-in screen enough to protect user data?

No. A sign-in screen only identifies the person. You also need rules that decide which saved rows that person may see, create, edit, or delete.

What is the Supabase term I should mention to my AI builder?

After you understand the plain idea, the technical name is Row Level Security. Developers often call it RLS. It means row-by-row rules that keep each person inside their own data.

How can I test this without being a developer?

Use two test accounts. Create different sample records in each account. Then sign in as each user and check lists, detail pages, edit actions, and delete actions one by one.

What does VibeCodeWall do here?

VibeCodeWall checks the public app from the outside and watches for important changes over time. That can help you spot exposed files or public behavior changes, but you should still run your own two-account data separation tests.

check your published app

Check what strangers can see in your published app

Start with a free check. VibeCodeWall looks at the public version of your app and keeps watching for important changes over time.

check my app free →