From ee7d5630efbcc0c6f7c9f0ae493bc4d11c02efed Mon Sep 17 00:00:00 2001
From: ZdenekSrotyr <zdenek.srotyr@keboola.com>
Date: Wed, 8 Apr 2026 12:33:05 +0200
Subject: [PATCH] =?UTF-8?q?fix:=20keep=20external=5Faccess=20enabled=20?=
 =?UTF-8?q?=E2=80=94=20views=20need=20read=5Fparquet=20on=20local=20files?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

File access attacks blocked by SQL blocklist instead of DuckDB pragma
(pragma also blocks legitimate view resolution via read_parquet).
---
 src/db.py | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/src/db.py b/src/db.py
index 87cd328..8250746 100644
--- a/src/db.py
+++ b/src/db.py
@@ -232,11 +232,8 @@ def get_analytics_db_readonly() -> duckdb.DuckDBPyConnection:
                     conn.execute(f"ATTACH '{db_file}' AS {ext_dir.name} (READ_ONLY)")
                 except Exception:
                     pass
-    # Disable external access AFTER attaches (blocks user file reads but allows attached DBs)
-    try:
-        conn.execute("SET enable_external_access = false")
-    except Exception:
-        pass
+    # Note: external_access stays enabled because views use read_parquet() on local files.
+    # File-path-based attacks are blocked by the SQL blocklist in app/api/query.py.
     return conn