django-sql-explorer icon indicating copy to clipboard operation
django-sql-explorer copied to clipboard

Permissions should be `False` by default

Open WillNilges opened this issue 1 year ago • 2 comments

Just had a bit of a scare. I did not set EXPLORER_PERMISSION_CHANGE in my settings.py, only EXPLORER_PERMISSION_VIEW. Because of this, /explorer/play and explorer/new were accessible by any user. I think it would be better if these defaulted to False to prevent access problems.

WillNilges avatar Sep 20 '24 01:09 WillNilges

The default value is user.is_staff -- so unless that was overridden, it should not be the case that any user would have access. Can you expand a bit more?

chrisclark avatar Sep 21 '24 19:09 chrisclark

@WillNilges would love to hear more about this. Please LMK. Otherwise I'll close the issue in a few days. Thank you!

chrisclark avatar Oct 21 '24 15:10 chrisclark