GitHub user dosubot[bot] added a comment to the discussion: Emit SQL DML (INSERT, UPDATE, DELETE) statements from a chart plugin in Superset
<!-- Greeting --> Hi @apabolleta! I'm [Dosu](https://go.dosu.dev/dosubot) and Iām helping the superset team. <!-- Answer --> Based on the current architecture and available information, emitting SQL DML (INSERT, UPDATE, DELETE) statements directly from a chart plugin in Superset is not a supported or documented feature. Superset is primarily designed for data visualization and exploration, with a strong focus on querying and visualizing data rather than modifying it. The main mechanism for executing SQL in Superset is through SQL Lab, which uses endpoints like `/api/v1/sqllab/execute/` to run queries, including DML statements, if the database configuration allows it and the user has the necessary permissions. This is handled in the frontend via functions such as `runQuery` and `runQueryFromSqlEditor` in the SQL Lab codebase, which leverage `SupersetClient.post` to execute SQL queries, including DML, through the API if permitted by the backend configuration and user permissions [[source]](https://github.com/apache/superset/blob/master/superset-frontend/src/SqlLab/actions/sqlLab.js). There is an `allow_dml` attribute in the database API configuration, which suggests that DML operations can be enabled or restricted at the database connection level [[source]](https://github.com/apache/superset/blob/master/superset/databases/api.py). However, this setting is not exposed or intended for use by chart plugins, and there is no evidence in the codebase or documentation that chart plugins are allowed to emit arbitrary SQL, especially DML statements. No documentation or prior discussions were found that describe emitting SQL DML statements from chart plugins, nor any supported API for doing so. This is likely due to significant security and architectural concerns: allowing arbitrary SQL execution (especially DML) from plugins would pose a major risk to data integrity and security. In summary: - Chart plugins in Superset are not designed to emit SQL DML statements. - SQL execution (including DML) is possible via SQL Lab, subject to backend configuration and user permissions. - There is no supported or documented way to emit arbitrary SQL from a chart plugin, and doing so would likely violate Superset's security model. If you have a use case that requires modifying data from within Superset, it is recommended to handle this outside of chart plugins, using SQL Lab or other controlled mechanisms, and to carefully consider the security implications. <!-- Dosu Comment Footer --> *To reply, just mention my name [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/99377f68-2e99-4e36-b7f3-2732b4415838?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/99377f68-2e99-4e36-b7f3-2732b4415838?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/99377f68-2e99-4e36-b7f3-2732b4415838?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/99377f68-2e99-4e36-b7f3-2732b4415838?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/99377f68-2e99-4e36-b7f3-2732b4415838?feedback_type=hallucination) | [Report š](https://app.dosu.dev/response-feedback/99377f68-2e99-4e36-b7f3-2732b4415838?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/99377f68-2e99-4e36-b7f3-2732b4415838?feedback_type=other)</sup> [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/33590) GitHub link: https://github.com/apache/superset/discussions/33590#discussioncomment-13282676 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
