1

I set access permissions for the group [“view_query”, “execute_query”, “list_dashboards”]).
The user really stops seeing the request code and the “Edit Source” button has disappeared.
The url looks like this (… / queries / 77? P_Date.start = 2019-12-01 & p_Date.end = 2019-12-31 # 193).

image
image1429×253 10.4 KB

But the user simply changes the url to: (… / queries / 77 / source? P_Date.start = 2019-12-01 & p_Date.end = 2019-12-31 # 193). Now it is unlimited in anything and can view the request code:
image
image1420×251 28.8 KB

How can I protect the code from viewing?

2

How did you “set access permissions”? I can’t find any reference in the documentation to using fine grained access controls like this, only “Full Control” or “View”.

3

I’m pretty sure this user is doing it from the database. Redash supports this experimentally but it’s not documented (probably should be?).

4

Table “groups”, column “permissions” (base “Redash”). You can set access for each group.

5

That sounds like you’re hacking the application database to set these permissions, so I wouldn’t expect that to work reliably unless it’s a documented feature.