fix: surface SQL parse errors instead of misleading permission denied

tianzhou · claude · tianzhou · commit ab458e5bfa4c · 2026-03-25T20:05:23.000-07:00
When SQL has syntax errors (e.g., LIMIT before WHERE), the parser fails
and the permission system was silently defaulting to 'admin', causing a
confusing "requires admin permission" error. Now parse failures throw
directly with the actual syntax error message.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/server/lib/sql-permissions.ts b/server/lib/sql-permissions.ts
@@ -234,8 +234,8 @@ export async function detectRequiredPermissions(sql: string): Promise<SqlAnalysi
     }
 
     return { permissions, statementCount: parsed.statements.length, transactionSafe }
-  } catch {
-    // Parse failed - require admin for safety
-    return { permissions: new Set(['admin']), statementCount: 1, transactionSafe: false }
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err)
+    throw new Error(`SQL syntax error: ${message}`)
   }
 }
diff --git a/server/services/query-service.ts b/server/services/query-service.ts
@@ -151,7 +151,12 @@ export const queryServiceHandlers: ServiceImpl<typeof QueryService> = {
     }
 
     // Determine required permissions and statement analysis
-    const analysis = await detectRequiredPermissions(req.sql);
+    let analysis: Awaited<ReturnType<typeof detectRequiredPermissions>>;
+    try {
+      analysis = await detectRequiredPermissions(req.sql);
+    } catch (err) {
+      throw new ConnectError(err instanceof Error ? err.message : String(err), Code.InvalidArgument);
+    }
     requirePermissions(user, req.connectionId, analysis.permissions, `execute query`);
 
     const details = getConnectionDetails(req.connectionId);
diff --git a/tests/sql-permissions.test.ts b/tests/sql-permissions.test.ts
@@ -172,10 +172,9 @@ describe('detectRequiredPermissions', () => {
     expect(transactionSafe).toBe(false)
   })
 
-  it('returns admin for unparseable SQL', async () => {
-    const { permissions, transactionSafe } = await detectRequiredPermissions('THIS IS NOT VALID SQL !!!')
-    expect(permissions).toEqual(new Set(['admin']))
-    expect(transactionSafe).toBe(false)
+  it('throws for unparseable SQL', async () => {
+    await expect(detectRequiredPermissions('THIS IS NOT VALID SQL !!!'))
+      .rejects.toThrow('SQL syntax error')
   })
 
   it('returns read for empty SQL', async () => {

Original file line number	Diff line number	Diff line change
`@@ -234,8 +234,8 @@ export async function detectRequiredPermissions(sql: string): Promise<SqlAnalysi`
`234`	`234`	`}`
`235`	`235`
`236`	`236`	`return { permissions, statementCount: parsed.statements.length, transactionSafe }`
`237`		`- } catch {`
`238`		`- // Parse failed - require admin for safety`
`239`		`- return { permissions: new Set(['admin']), statementCount: 1, transactionSafe: false }`
	`237`	`+ } catch (err) {`
	`238`	`+ const message = err instanceof Error ? err.message : String(err)`
	`239`	+ throw new Error(`SQL syntax error: ${message}`)
`240`	`240`	`}`
`241`	`241`	`}`