redash: View-only users cannot execute queries with parameters
Issue Summary
Not an issue maybe, but at least a problematic behaviour for us.
Steps to Reproduce
- Create a query with query parameters
- Set the datasource for this query to a datasource where another user has only the view-only permission
- With this other user, try to inject parameters and then click the refresh button
- See this error message
I expect it to be okay (or at least that can be allowed) to execute queries with query parameters for view-only users.
Technical details:
- Redash Version:
0.11.0+b1959 - Browser/OS: Chrome / OS X
- How did you install Redash: AMI
About this issue
- Original URL
- State: closed
- Created 8 years ago
- Reactions: 1
- Comments: 15 (5 by maintainers)
Why was this ticket closed? As far as I can see this problem still remains.
I needed to organize my groups into 3 categories :
This is what I did in database in order to achieve my organisation, all the values concern the table
groupsand the columnpermissions{admin,super_admin,create_dashboard,create_query,edit_dashboard,edit_query,view_query,view_source,execute_query,list_users,schedule_query,list_dashboards,list_alerts,list_data_sources}{}{list_dashboards,view_query,execute_query}In order to be able to run parametrized queries as a member of the readonly group, you need to define the datasources for the group as
Full Accessor it won’t work!Hope this helps 👍
I submitted a PR. Sorry for being negative on the comments, just it’s kinda surprise as it renders the view only permission on data source pretty much useless. See PR here:
https://github.com/getredash/redash/pull/2539
Permission to run query vs permission to change query should be a very separate matter, and given the life of this project is not that short, I am actually very surprise how this kind of issue can still exist