From 55927d530da3d2e78eaa29b344ec5c81b66445a6 Mon Sep 17 00:00:00 2001
From: shunki-fujita <shunki-fujita@cybozu.co.jp>
Date: Fri, 27 Mar 2026 08:57:32 +0000
Subject: [PATCH] Block query results API when public URLs are disabled

QueryResultResource did not check disable_public_urls, allowing
API key holders to retrieve query results even after the setting
was enabled. This adds the same guard used in PublicDashboardResource.

Signed-off-by: shunki-fujita <shunki-fujita@cybozu.co.jp>
---
 redash/handlers/query_results.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/redash/handlers/query_results.py b/redash/handlers/query_results.py
index bfc4371d08..66d7bdc8aa 100644
--- a/redash/handlers/query_results.py
+++ b/redash/handlers/query_results.py
@@ -249,6 +249,9 @@ def post(self, query_id):
                                 any cached result, or executes if not available. Set to zero to
                                 always execute.
         """
+        if self.current_user.is_api_user() and self.current_org.get_setting("disable_public_urls"):
+            abort(400, message="Public URLs are disabled.")
+
         params = request.get_json(force=True, silent=True) or {}
         parameter_values = params.get("parameters", {})
 
@@ -301,6 +304,9 @@ def get(self, query_id=None, query_result_id=None, filetype="json"):
         :<json number runtime: Length of execution time in seconds
         :<json string retrieved_at: Query retrieval date/time, in ISO format
         """
+        if self.current_user.is_api_user() and self.current_org.get_setting("disable_public_urls"):
+            abort(400, message="Public URLs are disabled.")
+
         # TODO:
         # This method handles two cases: retrieving result by id & retrieving result by query id.
         # They need to be split, as they have different logic (for example, retrieving by query id