Access problems ( Queries protection)

I set access permissions for the group [“view_query”, “execute_query”, “list_dashboards”]).
The user really stops seeing the request code and the “Edit Source” button has disappeared.
The url looks like this (… / queries / 77? P_Date.start = 2019-12-01 & p_Date.end = 2019-12-31 # 193).

But the user simply changes the url to: (… / queries / 77 / source? P_Date.start = 2019-12-01 & p_Date.end = 2019-12-31 # 193). Now it is unlimited in anything and can view the request code:

How can I protect the code from viewing?

How did you “set access permissions”? I can’t find any reference in the documentation to using fine grained access controls like this, only “Full Control” or “View”.

I’m pretty sure this user is doing it from the database. Redash supports this experimentally but it’s not documented (probably should be?).

Table “groups”, column “permissions” (base “Redash”). You can set access for each group.