Does it seem to be possible to execute DDLs in Re:dash metadata?

[kitsuyui]

Issue Summary

It seems to be possible to create / delete tables in Re:dash metadata.

Steps to Reproduce

1. Open "New Query"
2. Write create/drop SQL

It was created!

#### And also ...

deletable.

Is it safe?
I think that non-administrator users also can do this.

DROP TABLE dashboards, DROP TABLE queries ...

Technical details:

• Redash Version: v0.10.1.b1834, 0.11.0 - RC
• Browser/OS: Google Chrome / OSX / Server: Ubuntu Linux 16.04 LTS
• How did you install Redash: used setup/ubuntu/bootstrap.sh

[arikfr]

It's good to remember that Redash allows whatever you allow the database user you supply it with.

In this case the redash_reader user can create new tables and delete tables it created, but it can't touch (delete) the metadata tables. That's apparently the default behavior in Postgres.

I don't mind changing the bootstrap script to prevent this though by basically adding the following:

revoke create on schema public from public;
grant create on schema public to redash;

[kitsuyui]

@arikfr Oh! I see.
I'm relieved to hear that.

In this case the redash_reader user can create new tables and delete tables it created, but it can't touch (delete) the metadata tables. That's apparently the default behavior in Postgres.