Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document how to grant access to individual columns #98

Closed
simonw opened this issue May 10, 2021 · 2 comments
Closed

Document how to grant access to individual columns #98

simonw opened this issue May 10, 2021 · 2 comments
Labels
documentation Improvements or additions to documentation
Milestone
0.14

Comments

@simonw
Copy link
Owner

simonw commented May 10, 2021 

GRANT SELECT(
  id, last_login, is_superuser, username, first_name, last_name, email, is_staff, is_active, date_joined
) ON auth_user TO "my-read-only-role";

This is a useful pattern for allowing joins against the users table without exposing password hashes.
@simonw simonw added the documentation Improvements or additions to documentation label May 10, 2021
@simonw simonw mentioned this issue May 11, 2021
Closed
@simonw
Copy link
Owner Author

simonw commented May 11, 2021

One limitation of this approach is that select * won't work against tables - you have to explicitly list each column.

SQL__select___from_auth_user_____select_id__username_from_auth_user_limit_2

@simonw
Copy link
Owner Author

simonw commented May 11, 2021

Good news though: the technique we use to find the columns available for a table appears to take column permissions into account:

SQL_Dashboard

That's this code here:

django-sql-dashboard/django_sql_dashboard/views.py

Lines 139 to 165 in eefa5fb

tables_cursor.execute(
"""
with visible_tables as (
select table_name
from information_schema.tables
where table_schema = 'public'
order by table_name
)
select
information_schema.columns.table_name,
string_agg(column_name, ', ' order by ordinal_position) as columns
from
information_schema.columns
join
visible_tables on
information_schema.columns.table_name = visible_tables.table_name
where
information_schema.columns.table_schema = 'public'
group by
information_schema.columns.table_name
order by
information_schema.columns.table_name
"""
)
available_tables = [
{"name": t[0], "columns": t[1]} for t in tables_cursor.fetchall()
]

So rather than generate select * we should generate explicit column selects, to avoid this issue cropping up in queries generated by clicking on links.

@simonw simonw mentioned this issue May 11, 2021
Closed
simonw added a commit that referenced this issue May 16, 2021
@simonw
Select explicit columns, closes #105, refs #98
f2c163b
@simonw simonw closed this as completed in 1abe5f7 May 16, 2021
@simonw simonw added this to the 0.14 milestone May 16, 2021
simonw added a commit that referenced this issue May 16, 2021
@simonw
Release 0.14
c13ab2a 
Refs #30, #93, #94, #95, #96, #97, #98, #100, #101, #102, #103, #104, #105, #106, #107, #108, #109
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation Improvements or additions to documentation
Projects
None yet
Milestone
0.14
Development

No branches or pull requests
1 participant
@simonw