How to prevent clasp from cloning/pulling "View Only" Google Apps Script Project
I have Google Apps Script Project created by "publisher" account and shared as a "view-only":
1. Editors can change permissions and share - set to false
2. Viewers and commenters can see the option to download, print, and copy - set to false
3. Anyone on the internet with this link can view
From another "consumer" account, that should be able just to:
a) Import the Project as a library and
b) Use the project endpoints
When I use the online editor, it all looks fine:
"Make a copy" menu item is disabled.
"Show manifest file" does not show the appsscript.json
However, "consumer" account can use clasp (with the Script ID) to clone the project, pull specific version, download manifest file, read project properties and dependencies etc.
clasp clone script_id
clasp pull --versionNumber 2
Note: I even made "publisher" account not to use clasp as an approved application.
Q1: Am i wrong, this looks like "protection system" can be bypassed by clasp?
Q2: Is this a known bug/feature/issue, I couldn't find it, I would like to upvote?
Q3: If you want to share the Library project to the clients, maybe you could make a sub-library project that "hides" the business logic. It looks like clasp can download the manifest file of the top-level shared project and then all the sub-libraries became unprotected too, manifest file shows their script ids. Is there some standard way to accomplish something like this?
Thank you and sorry for the long post.
Issue:
As written in the official help center page,
Important: You can limit how people share, print, download, and copy within Google Drive, Docs, Sheets, and Slides, but you can't stop how others share the file content in other ways.
The feature
Viewers and commenters can see the option to download, print, and copy
only disables the user interface buttons and prevents copying within the app. It doesn't stop users from
- Directly copying what they see to clipboard
- Copy using the respective apis
or any other methods.
Solution:
Currently the only recommended way to hide script projects is by publishing a addon #7. If that's not an option, You can try basic JavaScript obfuscation/minification.
Issue trackers:
- Trouble getting log function to work in a custom function for Google sheets
- Graphical buttons in my Google sheets don't keep their position
- Display pasted cells temporarily then return to main page
- Execution order of GS files in a Project
- Javascript case sensitive
- How do you add UI inside cells in a google spreadsheet using app script?
- Google apps script missing
- sharing the folder created by google form and google script
- "TypeError: Failed due to illegal value in property: 0" when sending a Map object to Apps Script server
- Lock google sheets for data entry after a wrong entry
- Schedule View: INDEX MATCH from table and return multiple cells into one
- How to combine 3 multidimentional arrays using GAS?
- How to Show/Hide rows in google sheets using a script?
- Popping a Modal Dialog when changing the drop down entry in Google Sheets
- Transfer background color from cell range to drop down options
- What do I do if my Apps Script didn't save?
- List Google drive folder contents to google sheets with only new files
- Finding the optimal division of an array
- Failed due to illegal value in property: context
- Formatting Specific Portions of a Gmail Email Created with Apps Script
- Extracting report data from Kickserv API into Google sheet using google Apps Script
- How to use the cell number instead of its value in a Filter + Importrange
- Google Docs Apps Script Extension Add-ons - Greyed Out after Installation
- I want to use a macro to check a value in a sheet and return one of two values
- How to union ranges in google spreadsheets
- Gemini 1.0 Pro Vision has been deprecated on July 12, 2024. Consider switching to different model, for example gemini-1.5-flash
- How to use Apps script to move a lot of data rows at same time to different spreadsheet automatically base on time
- How can I see the full server response for this API error message in Google Scripts?
- Can I list all my scripts without any other types of documents in Google Drive?
- Custom Menus Google Apps Script