Enable Badge SQL

:warning: Enabling Badge SQL entails security and performance risks.

Starting from Discourse 1.6 badge sql can no longer be edited by admins unless explicitly enabled.

This change was made for a couple of reasons

  1. Security: allowing admins to enter SQL directly allows them raw access to the database, generally we are opting that raw access to the database from the web UI is a feature you opt-in for. Even though the queries only return user_ids, an admin attacker can discover any information in the database using badge queries. If column A of table Y has the letter A in it return user_id 1 else 2.

  2. Performance: getting badge SQL “just right” is an art, it is not something that is trivial for admins to do correctly. There is huge amount of risk that people who are not experts can create enormous load on a database by entering bad SQL

You can still get full authoring access by running:

./launcher enter app
rails c
> SiteSetting.enable_badge_sql = true

If you are an Enterprise customer, contact @team via PM to enable it. (You may also contact team by emailing team@discourse.org).

Instead of SQL queries, our Standard and Business customers can see how to grant a custom badge through the API.

SiteSetting.enable_badge_sql = false (the default) disables all new badge SQL authoring. Existing badges will continue to work just fine with the SQL you have created. You can safely disable badge SQL after authoring your required badges for extra safety.

All site settings can be shadowed by globals … using DISCOURSE_ENABLE_BADGE_SQL: true in your container config will enable this.

52 Likes

where should I run this?

That needs to be run on the server, so if you have a hosted site you would need to contact your provider. However, not all providers allow it on all hosting tiers as it can be resource intensive. For instance, it’s only available on our hosting on the Enterprise tier. :discourse:

Though there are alternative ways to grant badges that don’t rely on the Custom SQL triggers, either by manually running a data-explorer query and bulk awarding the csv results, or combining the query with an API call. :+1:

1 Like