Feature/params on embeds

[tdawber]

Hey @arikfr,

Here's a pull request fulfilling #929. Given the potential sensitivity around maybe exposing the query sql, I added a parameter, defaulting to off, to enable this feature. Added comments about potential side-effects of this feature.

Also enabled maxAge on embeds.

Happy to have a chat if this isn't quite how you would've done it.

Tom

[arikfr]

Worth mentioning that there is also the danger of SQL injection.

[arikfr]

In the context of a visualization embed, you can always pass here True.

[arikfr]

Played around with it and found several issues, that are actually issues in the code you're using and not in your pull request directly:

In case ALLOW_PARAMETERS_IN_EMBEDS is False, calling Query#getQueryResult returns immediately because Query's query value is undefined (and Query#getQueryResult checks that query is truthy).

Possible solutions: simple workaround of passing an empty string as query value (I've did it in some other place in the code before) or adding a parameter to Query#getQueryResult to skip this check.

The API key we use is of a query, therefore we need a query_id in the request to associate it with a query. But the call Query#getQueryResult makes has no query_id in the URL.

This one is trickier to solve and will require some refactoring both on the server side and in the QueryResult implementation on the client side. I'm happy if both will be done, but the question is this something you can invest your time in? If you do, I'll be happy to elaborate on possible solutions.

[arikfr]

Closing in favor of #1014. We will eventually implement something along the lines of my comment above, but until then...

[nicokras]

Hi, can you give me an example on how to embed with parameters?

I have tried several ways like the one below, but could not make it work.

http://server/embed/query/3/visualization/4?api_key=apikey&p_start_date=2017-03-01

Also enabled REDASH_ALLOW_PARAMETERS_IN_EMBEDS=true in the .env file, and restarted.

I will appreciate any help.
Thanks.

[Aleyasen]

How can we embed with parameters? I'll be thankful if anyone can give an example.

[rexuli]

I found a while and cannot get the answer. So I just try and it works.
Example:

<iframe src="http://redash_url/embed/query/11/visualization/33?api_key=API_KEY&p_Start%20Date=2018 04-10&p_End%20Date=2018-04-18"
  width="720" height="391"></iframe>

Params: Start Date & End Date in the query in redash

The &p_Start%20Date=2018 04-10&p_End%20Date=2018-04-18 will be the params in the query inside redash.

Remarks:
The embed needs to log in to redash.
Enabled REDASH_ALLOW_PARAMETERS_IN_EMBEDS=true in the .env

Redash version: Redash 3.0.0+b3147