-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
View-only users cannot execute queries with parameters #1163
Comments
Current parameters implementations requires ability to run any query, therefore it requires full access to the data source. While the UI seems to allow running a specific query with parameters, the API allows you to submit any query. Even if we change the API to take query + parameters, it's still open to SQL injections. We need to refactor our parameters support in order to allow read only users to be able to use them. |
I use the following permissions for a group that needs to execute some queries: |
That's what I recommend, but note that I would use this only for internal users you trust won't actively try to avoid your restrictions. As the API allows to practically run any query. |
Why was this ticket closed? As far as I can see this problem still remains. |
I do not understand why the hell does this not available? There are some queries we need to provide params! |
Can we please reopen this as this is not fixed in 2.0.0 version? |
Yes, this needs to be reopened. |
@arikfr Can you include a bit more description of how you and @AntoineAugusti used the permissions you did to make this work? Otherwise, this issue may need to remain open until a fix is implemented. |
I needed to organize my groups into 3 categories :
This is what I did in database in order to achieve my organisation, all the values concern the table
In order to be able to run parametrized queries as a member of the readonly group, you need to define the datasources for the group as Hope this helps 👍 |
We are coming accross the permission problem as well. I'm trying to understand the situation here.
So I think the options here are:
BTW, our team do have some other problems
|
Permission to run query vs permission to change query should be a very separate matter, and given the life of this project is not that short, I am actually very surprise how this kind of issue can still exist |
@goodwill Thanks for expressing your surprise. The open source version of Redash is a community project and comes with no warranties or guarantees of support. We'll fix this issue when we can or when it becomes relevant to our customers, but other issues have a higher priority right now. The fastest way for this to be fixed would most likely be for you or someone else to suggest a pull request, which would really be great. Let us know if it's something you would like help with, and we will review the PR and try and help you land it. But until that happens, your comment comes off as a bit caustic, as it implies that we're failing in some way. I might be reading too much into this - I just want to make sure that you're aware why this might take a while. Please be patient with us. Thanks. |
I submitted a PR. Sorry for being negative on the comments, just it’s kinda surprise as it renders the view only permission on data source pretty much useless. See PR here: |
@goodwill Thank you! That's awesome. Sorry if I was over-reading things! |
We've started a project to redo permissions in Redash, which will also address this use case. To follow along you can watch #3284. |
Issue Summary
Not an issue maybe, but at least a problematic behaviour for us.
Steps to Reproduce
I expect it to be okay (or at least that can be allowed) to execute queries with query parameters for view-only users.
Technical details:
0.11.0+b1959
The text was updated successfully, but these errors were encountered: