GitHub user dosubot[bot] added a comment to the discussion: Can I hide the
query of dataset being visible for embedded dashboard
<!-- Answer -->
In Superset 5.0.0, the /api/v1/dashboard/{dashboard_id}/datasets endpoint
always includes the SQL query (the sql field) for virtual datasets in its API
response—even for embedded or guest users. The fix from PR #30858 only removed
SQL from the /chart/data endpoint for guest users, not from this datasets
endpoint, so the SQL is still exposed here by design and there’s currently no
configuration, permission, or feature flag to hide it in this context
([source](https://github.com/apache/superset/blob/6876a1e6843cd1f28f4206ca2dd75342dfddcf26/superset/dashboards/schemas.py)).
There isn’t an official workaround in 5.0.0. Some community suggestions include
filtering the response on your own backend (e.g., via a proxy that strips the
sql field before passing data to the frontend) or customizing the Superset
codebase, but these approaches require extra engineering effort and aren’t
supported out of the box. This limitation is known and has been discussed as a
security concern in the community
([discussion](https://github.com/apache/superset/discussions/32765)).
If you need to fully prevent SQL exposure for embedded dashboards, you’ll need
to implement a custom solution until a future Superset release addresses this.
<!-- Dosu Comment Footer -->
*To reply, just mention [@dosu](https://go.dosu.dev/dosubot).*
---
<sup>How did I do?
[Good](https://app.dosu.dev/response-feedback/865c17f4-bc3b-4593-8682-beec3d1032c6?feedback_type=great_response)
|
[Irrelevant](https://app.dosu.dev/response-feedback/865c17f4-bc3b-4593-8682-beec3d1032c6?feedback_type=irrelevant_answer)
|
[Incorrect](https://app.dosu.dev/response-feedback/865c17f4-bc3b-4593-8682-beec3d1032c6?feedback_type=incorrect_sources)
|
[Verbose](https://app.dosu.dev/response-feedback/865c17f4-bc3b-4593-8682-beec3d1032c6?feedback_type=too_verbose)
|
[Hallucination](https://app.dosu.dev/response-feedback/865c17f4-bc3b-4593-8682-beec3d1032c6?feedback_type=hallucination)
| [Report
🐛](https://app.dosu.dev/response-feedback/865c17f4-bc3b-4593-8682-beec3d1032c6?feedback_type=bug_report)
|
[Other](https://app.dosu.dev/response-feedback/865c17f4-bc3b-4593-8682-beec3d1032c6?feedback_type=other)</sup> [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/33903)
GitHub link:
https://github.com/apache/superset/discussions/33903#discussioncomment-13572003
----
This is an automatically sent email for [email protected].
To unsubscribe, please send an email to:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
