Model Permession

[MQinna]

Describe the bug

Users can Edit a Model Query using Native Query editor Without Having PermessionPermission

To Reproduce

a. Create a Group with preview-only access and add a user to this group only.
b. Disable Native Query Editor for this Group.
c. Create a user with model creation access.
d. Create a model with native query enabled and add it to the analytics collection.
e. Log in as the user from the newly created group.
f. Navigate to the newly created model.
g. Attempt to edit the model query.

Expected behavior

The user from the group with preview-only access, and with the Native Query Editor restricted, should not be able to edit the model query. The system should enforce the read-only access level set for the group, preventing any modifications to the model's query.

Logs

the log will be no use case for this.

Information about your Metabase installation

Version 124.0.6367.201 (Official Build) (64-bit)
Windows 11
MySql 
0.49.8
Jar File on Ubuntu
MySql

Severity

Altering Security and access rights

Additional context

No response

[paoliniluis]

Hi, please check the repro steps, although the user can SEE the SQL, it doesn't mean that they can EDIT it.

I wasn´t able to reproduce

[Tony-metabase]

The moment you press on edit you are not able to write anything in the editor and not even save