From e27a3904c6a27dcccaa1ac0b01d10e7ca63c0704 Mon Sep 17 00:00:00 2001 From: Kailash Nadh Date: Tue, 9 Sep 2025 22:59:45 +0530 Subject: [PATCH] Expand the warning on `subscribers:sql_query` permission on arbitrary SQL functions. --- docs/docs/content/roles-and-permissions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/docs/content/roles-and-permissions.md b/docs/docs/content/roles-and-permissions.md index 62ab21a7..6b11735a 100644 --- a/docs/docs/content/roles-and-permissions.md +++ b/docs/docs/content/roles-and-permissions.md @@ -12,7 +12,7 @@ A user role is a collection of user related permissions. User roles are attached | | subscribers:get_all | Get all subscribers and their details | | | subscribers:manage | Add, update, and delete subscribers | | | subscribers:import | Import subscribers from external files | -| | subscribers:sql_query | Run SQL queries on subscriber data. **WARNING:** This permission will allow the querying of all lists and subscribers directly from the database with SQL expressions, superceding individual list and subscriber permissions above. | +| | subscribers:sql_query | Run raw SQL queries on subscriber data. **WARNING:** This permission allows execution of arbitrary SQL expressions and SQL functions. While it is a readonly feature designed to allow querying of all lists and subscribers directly from the database superceding individual list and subscriber permissions above, raw SQL expressions makes it possible to obtain Postgres database configuration such as version and paths. Give this permission only to trusted users. | | | tx:send | Send transactional messages to subscribers | | campaigns | campaigns:get | Get and view campaigns belonging to permitted lists | | | campaigns:get_all | Get and view campaigns across all lists |