I am very happy with the new permission feature, but I am a bit puzzled by the following statement I found in the documentation:
Permissions on dashboards and folders do not include permissions on data sources. A user with Viewer role can still issue any possible query to a data source, not just those queries that exist on dashboards he/she has access to.
How a viewer could possibly issue such a request ? Could you illustrate the security breach with an example ?