search

simonw / django-sql-dashboard

Django app for building dashboards using raw SQL queries
https://django-sql-dashboard.datasette.io/
Apache License 2.0
437 stars 37 forks source link

Document how to grant access to individual columns #98

Closed simonw closed 3 years ago

simonw commented 3 years ago 
GRANT SELECT(
  id, last_login, is_superuser, username, first_name, last_name, email, is_staff, is_active, date_joined
) ON auth_user TO "my-read-only-role";

This is a useful pattern for allowing joins against the users table without exposing password hashes.

simonw commented 3 years ago

One limitation of this approach is that select * won't work against tables - you have to explicitly list each column.

SQL__select___from_auth_user_____select_id__username_from_auth_user_limit_2
simonw commented 3 years ago

Good news though: the technique we use to find the columns available for a table appears to take column permissions into account:

SQL_Dashboard

That's this code here: https://github.com/simonw/django-sql-dashboard/blob/eefa5fb5236b711c9717c222b48fb21ed6636176/django_sql_dashboard/views.py#L139-L165

So rather than generate select * we should generate explicit column selects, to avoid this issue cropping up in queries generated by clicking on links.