Create permission 'list_queries' #1131
Comments
|
I'm not sure why you would want to hide the list of queries, but regardless I'm happy to add this - feel free to make a pull request. |
|
Security issues. The default behavior is the users be able to see all the queries. Sometimes you have queries consulting a data source that some users should not be able to see the results and graphs. I think that the users should only see queries results from their group's data sources... I will try to send a PR. But I would appreciate if someone could help with this in the meantime :) |
But that's the current behavior - |
|
Sorry @arikfr, there was a misunderstanding on my side. Actually what happened was that some users here were creating queries with wrong data sources. |
|
Now you see the benefit of allowing everyone to list queries -- you can human errors ;-) |
|
But I still think that we could break these permissions 😁 |
|
Actually I was thinking a lot in a more standardized way to work with permissions on Redash. |
|
I remember seeing it, but the code that handles permissions is very simple, that I don't see any reason to introduce another dependency for it. |
Issue Summary
I think that we should split the "view_query" permission in two.
For me it sounds like the group with this permission allow the users to see the page of the query with its visualizations. But this permission gives the ability to see all the queries (as on redash/handlers/queries.py#L74).
I don't want all the users seeing the full queries list.
Maybe would be good to create the permission list_queries just like we already have list_dashboards, list_alerts, list_data_sources, list_users.
Technical details:
The text was updated successfully, but these errors were encountered: