main ← add-current-user-id-parameter-to-data-explorer
merged 03:40PM - 12 Dec 25 UTC
Introduces a new `current_user_id` parameter type that automatically injects the… ID of the user running the query. This enables secure "personal data" queries in group reports where non-admin users can run queries filtered to their own data.
Why:
- Members requested queries like "show my recent posts" for group reports, but there was no secure way to reference the current user
- Passing user_id as a regular parameter would allow users to spoof other users' IDs
How it works:
- Parameter is injected server-side, ignoring any user-provided value
- Frontend hides input fields for "internal" parameter types
- Supports nullable option for queries that may run without auth
Example usage:
```sql
-- [params]
-- current_user_id :me
SELECT *
FROM posts
WHERE user_id = :me
```
Here are a few screenshots of how it looks like:
The query from the admin PoV
<img width="1471" height="1092" alt="CleanShot 2025-12-12 at 11 20 10" src="https://github.com/user-attachments/assets/bc6ce759-ebcb-4550-9035-dbaf7ae034da" />
How it looks like from a member of the report's allowed group
<img width="1471" height="1092" alt="CleanShot 2025-12-12 at 11 19 48" src="https://github.com/user-attachments/assets/10eb1ddb-c93b-4608-988d-e4a8ca13d8ba" />