Closed simonw closed 3 years ago
One limitation of this approach is that select *
won't work against tables - you have to explicitly list each column.
Good news though: the technique we use to find the columns available for a table appears to take column permissions into account:
That's this code here: https://github.com/simonw/django-sql-dashboard/blob/eefa5fb5236b711c9717c222b48fb21ed6636176/django_sql_dashboard/views.py#L139-L165
So rather than generate select *
we should generate explicit column selects, to avoid this issue cropping up in queries generated by clicking on links.
This is a useful pattern for allowing joins against the users table without exposing password hashes.