Skip to content

Block query results API when public URLs are disabled#7679

Open
shunki-fujita wants to merge 1 commit intogetredash:masterfrom
shunki-fujita:fix/disable-public-urls-query-results
Open

Block query results API when public URLs are disabled#7679
shunki-fujita wants to merge 1 commit intogetredash:masterfrom
shunki-fujita:fix/disable-public-urls-query-results

Conversation

@shunki-fujita
Copy link
Copy Markdown
Contributor

@shunki-fujita shunki-fujita commented Mar 27, 2026
edited
Loading

Close: #7678

QueryResultResource did not check disable_public_urls, allowing API key holders to retrieve query results even after the setting was enabled. This adds the same guard used in PublicDashboardResource.

What type of PR is this?

  • Refactor
  • Feature
  • Bug Fix
  • New Query Runner (Data Source)
  • New Alert Destination
  • Other

Description

How is this tested?

  • Unit tests (pytest, jest)
  • E2E Tests (Cypress)
  • Manually
  • N/A
  • REDASH_DISABLE_PUBLIC_URLS=false
$ curl -s "http://localhost:5000/api/queries/1/results?api_key=<api key>"
{"query_result": {"id": 3, "query_hash": "c65c5f7abb67917dd98fedad6f6d850f", "query": "SELECT * FROM t LIMIT 1000", "data": {"columns": [{"name": "id", "friendly_name": "id", "type": "integer"}, {"name": "name", "friendly_name": "name", "type": "string"}], "rows": [{"id": 1, "name": "hello"}, {"id": 2, "name": "redash"}]}, "data_source_id": 1, "runtime": 0.010477542877197266, "retrieved_at": "2026-03-27T09:24:34.266Z"}}
  • REDASH_DISABLE_PUBLIC_URLS=true
$ curl -s "http://localhost:5000/api/queries/1/results?api_key=<api key>"
{"message": "Public URLs are disabled."}

Related Tickets & Documents

Mobile & Desktop Screenshots/Recordings (if there are UI changes)

@shunki-fujita
Block query results API when public URLs are disabled
55927d5 
QueryResultResource did not check disable_public_urls, allowing
API key holders to retrieve query results even after the setting
was enabled. This adds the same guard used in PublicDashboardResource.

Signed-off-by: shunki-fujita <shunki-fujita@cybozu.co.jp>
@shunki-fujita shunki-fujita marked this pull request as ready for review March 27, 2026 09:31
cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Mar 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 1 file

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

REDASH_DISABLE_PUBLIC_URLS=true does not block query results API for previously issued API keys

1 participant

@shunki-fujita