Comments (6)
The reason for it now – is that you can create any query on frontend (data analytic for example) without need to address developers for it. Do you suggest to write queires on backend side?
Also if you are using HTTPS than data can't be sniffed.
from jet-django.
@f1nality Yes I strongly recommend building queries on backend. Although data cannot be sniffed due to HTTPS, people can still see the database names and table names which opens the door for other attacks
from jet-django.
@OmkarPathak yes, but admin panel is not something public. only those you give access will see it. SQL analytics services like https://redash.io/ works the same way. i think a better solution will be to add SQL permission for configuration. so that only who you will give this permission will see table names. SQL queries saved by admins can be encrypted so that thoose who don't have such permission won't see queries text. what do you think?
from jet-django.
@f1nality No you didn't get me. See the below highlighted part in the image:
We can easily see what query is being passed. This shouldn't be the case
from jet-django.
@OmkarPathak
yes, that's what i've understood. my idea is to encrypt this query, so only backend can decrypt it. users that will have sql permission will be able to see these queries though.
building queries on backend will eliminate advantage of building queries on frontend, its very handy.
from jet-django.
I agree with @OmkarPathak you should get rid of this.
While your usecase of allowing users to build queries might be cool, having no way to gate what queries can be constructed is really dangerous. What if I construct a query deleting everything? Also, this creates a workaround for some control measures e.g. Query manager only allows user to see data in their org, but with sql queries, user can simply go around that.
If you really want users to be able to construct something, I'd suggest using building blocks that you can easily control in the backend not SQL. It's incredibly difficult to sanitize and guard SQL. Totally not worth it for the HUGE security loopholes it creates.
from jet-django.
Related Issues (20)
- CKEditor + Calendar issue in New Django Jet HOT 3
- [Bug] No support for non-number ID fields HOT 4
- editable option not working in case of table with foreign key reference
- error in SQL syntax (django.db.utils.ProgrammingError)
- CKEDITOR field - Not working as HTML option setting configuration
- Link Models to Dashboard
- Support Django-Money or Allow for Custom Serialisers
- Only the "default" database models are exposed
- Unable to connect to Postgres on a custom socket HOT 2
- Versions diff
- Open SQL connection on demand only
- Not working on Django 3.0.7
- AttributeError: 'str' object has no attribute '_meta'
- Importation error in models using Django3 HOT 1
- Jet bridge confusion
- Question regarding Caching HOT 1
- [Bug] Fields internationalization - Useless field shown + values not displayed HOT 3
- [Bug] PATCH - GenericForeignKey relationship fails with "django.core.exceptions.FieldDoesNotExist: StudentSolution has no field named 'object_id'" HOT 4
- [Feature] Display GenericRelation
- not able to Navigate by page HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from jet-django.