Enable Badge SQL

:bookmark: This guide explains how to enable Badge SQL in Discourse and discusses the associated security and performance risks.

:person_raising_hand: Required user level: Administrator
:warning: Enabling Badge SQL can pose security and performance risks.

To maintain security and performance integrity, as of Discourse 1.6, the ability for administrators to edit badge SQL directly is disabled by default. The two primary concerns around enabling Badge SQL are:

  1. Security: Allowing direct SQL entry provides raw database access through the web UI, increasing the potential for sensitive data exposure. Despite queries returning only user_ids, an admin could exploit these queries to unearth information. For example, a query could uncover if column A of table Y has a particular value based on the user_id returned.
  2. Performance: Crafting efficient badge SQL queries is complex. Inexperienced administrators might create queries that put a substantial load on the database, affecting overall site performance.

For those who still wish to enable it, you can receive full SQL authoring access by executing the following command in your Discourse server:

./launcher enter app
rails c
SiteSetting.enable_badge_sql = true

If you are an Enterprise customer, please reach out to the Discourse team through personal message (@team on Meta) or email at team@discourse.org to enable SQL for badge queries.

For non-SQL badge configurations, Standard and Business customers can follow an alternate method for granting custom badges using the Discourse API.

Additional notes

  • The configuration SiteSetting.enable_badge_sql = false remains the default setting, preventing any new SQL badge authoring. Already existing badges will continue functioning with their current SQL.
  • After setting up your badges, you can safely disable Badge SQL to prevent future changes.
  • All settings are subject to global configuration. In your container configuration, using DISCOURSE_ENABLE_BADGE_SQL: true can enable this feature.

Last edited by @SaraDev 2024-08-15T20:22:52Z

Check documentPerform check on document:
56 Likes