Enable Badge SQL

:warning: Enabling Badge SQL entails security and performance risks.

Starting from Discourse 1.6 badge sql can no longer be edited by admins unless explicitly enabled.

This change was made for a couple of reasons

  1. Security: allowing admins to enter SQL directly allows them raw access to the database, generally we are opting that raw access to the database from the web UI is a feature you opt-in for. Even though the queries only return user_ids, an admin attacker can discover any information in the database using badge queries. If column A of table Y has the letter A in it return user_id 1 else 2.

  2. Performance: getting badge SQL “just right” is an art, it is not something that is trivial for admins to do correctly. There is huge amount of risk that people who are not experts can create enormous load on a database by entering bad SQL

You can still get full authoring access by running:

./launcher enter app
rails c
> SiteSetting.enable_badge_sql = true

If you are an Enterprise customer, contact @team via PM to enable it. (You may also contact team by emailing team@discourse.org).

Instead of SQL queries, our Standard and Business customers can see how to grant a custom badge through the API.

SiteSetting.enable_badge_sql = false (the default) disables all new badge SQL authoring. Existing badges will continue to work just fine with the SQL you have created. You can safely disable badge SQL after authoring your required badges for extra safety.

All site settings can be shadowed by globals … using DISCOURSE_ENABLE_BADGE_SQL: true in your container config will enable this.

50 Likes
How to add SQL Queries to badges?
Are automatic badge triggers still available?
SQL Free Badge Editing
"Trigger" text field not showing up when creating custom badge
What cool badge queries have you come up with?
Can't find badge criteria box
Copy-Paste Locked Badge Query (SQL) For More Than Champion or Invitation
Badge Query SQL edit box is disabled until page is refreshed
As an admin, I'm unable to see the full list of grantable badges
Indicate member is deactivated on their usercard and/or avatar
Add Badge to Solve answer
Discourse as an LMS / Discourse integration with an LMS
What is this bug reporter badge?
Get Discourse to read and issue OpenBadges?
Badge system in discourse
A question re the Solved plugin and Badge SQL
What cool badge queries have you come up with?
Where do i need to enter my Badge Query?
Discourse-Math badge
Request: Custom Badge SQL
Create Triggered Custom Badge Queries
Create a "Diary writer" badge
Help me get Discourse set up for the first time
Some common badge queries
Help me get Discourse set up for the first time
When editing badge updated parameters are not visible after saving
404 when clicking on badge link (which shouldn't exist)
How are user titles generated?
How do I make my own badge query?
Grant a badge to individual users manually
Give emblem from other emblems
What cool badge queries have you come up with?
[PAID] Allow badges to be granted in restricted categories
A Simple Way to Grant Badges en-masse?
Configure Patreon integration with Discourse
How to grant badges using Automation?