google-apps-scriptlibrariesreadonlydata-protectionclasp

How to prevent clasp from cloning/pulling "View Only" Google Apps Script Project


I have Google Apps Script Project created by "publisher" account and shared as a "view-only":

1. Editors can change permissions and share - set to false
2. Viewers and commenters can see the option to download, print, and copy - set to false
3. Anyone on the internet with this link can view

From another "consumer" account, that should be able just to:

a) Import the Project as a library and

b) Use the project endpoints

When I use the online editor, it all looks fine:

enter image description here

"Make a copy" menu item is disabled.

"Show manifest file" does not show the appsscript.json


However, "consumer" account can use clasp (with the Script ID) to clone the project, pull specific version, download manifest file, read project properties and dependencies etc.

clasp clone script_id
clasp pull --versionNumber 2

Note: I even made "publisher" account not to use clasp as an approved application.

Q1: Am i wrong, this looks like "protection system" can be bypassed by clasp?

Q2: Is this a known bug/feature/issue, I couldn't find it, I would like to upvote?

Q3: If you want to share the Library project to the clients, maybe you could make a sub-library project that "hides" the business logic. It looks like clasp can download the manifest file of the top-level shared project and then all the sub-libraries became unprotected too, manifest file shows their script ids. Is there some standard way to accomplish something like this?

Thank you and sorry for the long post.


Solution

  • Issue:

    As written in the official help center page,

    Important: You can limit how people share, print, download, and copy within Google Drive, Docs, Sheets, and Slides, but you can't stop how others share the file content in other ways.

    The feature

    Viewers and commenters can see the option to download, print, and copy

    only disables the user interface buttons and prevents copying within the app. It doesn't stop users from

    or any other methods.

    Solution:

    Currently the only recommended way to hide script projects is by publishing a addon #7. If that's not an option, You can try basic JavaScript obfuscation/minification.

    Issue trackers: