Viewer permission and possible security breach


I am very happy with the new permission feature, but I am a bit puzzled by the following statement I found in the documentation:

Permissions on dashboards and folders do not include permissions on data sources. A user with Viewer role can still issue any possible query to a data source, not just those queries that exist on dashboards he/she has access to.

How a viewer could possibly issue such a request ? Could you illustrate the security breach with an example ?


If you use a InfluxDB Datasource, a Viewer can see every Query Grafana is Sending to the Backend via Browser Development Tools and if he can see these Queries the viewer can manipulate and send them again.

Is there no encryption of the query ?

Nope, i tried it by my Self and ist hope this will be fixed soon