Read-only extension

[maelp]

My use-case is adding duckdb-wasm on an intranet to allow BI people and engineers to make queries, it would connect to mutiple databases (parquet files, Postgres, etc)

I'd like it to be a "query only" connection, and that they cannot create table, insert elements, drop table, etc

would it be possible to add a flags to the extensions to disallow such statements?

[csjh]

I think this would be something that would have to be implemented on a server-side level - if it's a wasm-level client-side restriction then it could be bypassed fairly easily.

[carlopi]

I am not sure I get what the intended behaviour is, but...

If the question is avoid duckdb-wasm modifying / uploading files (and you are dealing with coworkers that are not trying to hack their way in) one version of this is basically changing network behaviour to fail on writes, this would allow to forbid people changing served resources on random S3 buckets.

That plus changing the default database to be read-only should make more or less what you want.
Or maybe you want all ATTACH database.db statements to be read-only (basically injecting those), that should also be doable, a bit less clear how to implement but good.

Avoiding writes (that forbid COPY (SELECT 32) TO s3://....') + avoiding changes to the attached DB files leaves only stuff like COPY (SELECT 32) TO 'a.csv';` + read back from CSVs (living locally on your own browser tab).

This can be probably enough I think. Does this makes sense? And if so, a PR is very welcome adding a setting that propagates read-only setting to duckdb.

[maelp]

Yes I think the "ATTACHED" being read-only would be what I'm looking for