Badge SQL can no longer be edited by default

Starting from Discourse 1.6 badge sql can no longer be edited by admins unless explicitly enabled.

This change was made for a couple of reasons

  1. Security: allowing admins to enter SQL directly allows them raw access to the database, generally we are opting that raw access to the database from the web UI is a feature you opt-in for. Even though the queries only return user_ids, an admin attacker can discover any information in the database using badge queries. If column A of table Y has the letter A in it return user_id 1 else 2.

  2. Performance: getting badge SQL “just right” is an art, it is not something that is trivial for admins to do correctly. There is huge amount of risk that people who are not experts can create enormous load on a database by entering bad SQL

You can still get full authoring access by running:

./launcher enter app
rails c
> SiteSetting.enable_badge_sql = true

If you are an Enterprise customer, contact @team via PM to enable it. (You may also contact team by emailing team@discourse.org).

Instead of SQL queries, our Standard and Business customers can see how to grant a custom badge through the API.

SiteSetting.enable_badge_sql = false (the default) disables all new badge SQL authoring. Existing badges will continue to work just fine with the SQL you have created. You can safely disable badge SQL after authoring your required badges for extra safety.

All site settings can be shadowed by globals … using DISCOURSE_ENABLE_BADGE_SQL: true in your container config will enable this.

47 Likes