fix: keep external_access enabled — views need read_parquet on local files

File access attacks blocked by SQL blocklist instead of DuckDB pragma (pragma also blocks legitimate view resolution via read_parquet).
2026-04-08 12:33:05 +02:00 · 2026-04-08 12:33:05 +02:00 · ee7d5630ef
commit ee7d5630ef
parent f2f9a62803
1 changed files with 2 additions and 5 deletions
--- a/src/db.py
+++ b/src/db.py
@ -232,11 +232,8 @@ def get_analytics_db_readonly() -> duckdb.DuckDBPyConnection:
                    conn.execute(f"ATTACH '{db_file}' AS {ext_dir.name} (READ_ONLY)")
                except Exception:
                    pass
-    # Disable external access AFTER attaches (blocks user file reads but allows attached DBs)
-    try:
-        conn.execute("SET enable_external_access = false")
-    except Exception:
-        pass
+    # Note: external_access stays enabled because views use read_parquet() on local files.
+    # File-path-based attacks are blocked by the SQL blocklist in app/api/query.py.
    return conn