Hi all, I’m using a dashboard variable query to a SimpleJson datasource to return a list of ‘groups’ that are in scope for a particular Grafana user (Viewer), identified by their ApiKey passed using the X-DS-Authentication header. That bit works fine and the list of allowed groups (say 1,4 and 5) appears in the dropdown list for the variable. I then use the same variable in a SQL command via the Postgres datasource to return a timeseries based on the selected group. That’s great but the value of my variable appears in the URL, and there’s nothing to stop the user choosing another group ID that’s not in scope, thereby gaining access to someone else’s data, eg, randomly pick group 6
What can I do to prevent the variable being shown in the URL, and more importantly, to make sure that only values returned by the variable query response are deemed valid in the Postgres datasource?