Access to resources for queries

I'm running self hosted retool on version 3.22.1

What I want to achieve is as follows:

I have some users that have been given the viewer permission. For some of these users, I want to give them the ability to write their own SQL queries. However, I only want them to be able to execute those queries against a read-only DB.

I have multiple resources in my setup and two of them are a write and read-only DB.

What I did was

  • Create a new permission group called SQL ReadOnly
  • Gave that group Edit queries access to the query library
  • Gave that group Use access to the read-only DB
  • Assigned that group to those users (so they now have the following groups assigned, All Users, Viewer, SQL ReadOnly)

When I log in as one of those users, they can see the query library. However, when they try to create a new query and open the dropdown list for resources, they see every resources. If they pick the write DB (which they shouldn't have access to), they are still able to execute queries against the write DB.

Can someone please help me understand whether this is a bug, or whether I did not set it up correctly.

Note I also tried to remove the viewer permission to see if that fixed the problem and it had no effect.