I have Google Apps Script Project created by "publisher" account and shared as a "view-only":
1. Editors can change permissions and share - set to false
2. Viewers and commenters can see the option to download, print, and copy - set to false
3. Anyone on the internet with this link can view
From another "consumer" account, that should be able just to:
a) Import the Project as a library and
b) Use the project endpoints
When I use the online editor, it all looks fine:
"Make a copy" menu item is disabled.
"Show manifest file" does not show the appsscript.json
However, "consumer" account can use clasp (with the Script ID) to clone the project, pull specific version, download manifest file, read project properties and dependencies etc.
clasp clone script_id
clasp pull --versionNumber 2
Note: I even made "publisher" account not to use clasp as an approved application.
Q1: Am i wrong, this looks like "protection system" can be bypassed by clasp?
Q2: Is this a known bug/feature/issue, I couldn't find it, I would like to upvote?
Q3: If you want to share the Library project to the clients, maybe you could make a sub-library project that "hides" the business logic. It looks like clasp can download the manifest file of the top-level shared project and then all the sub-libraries became unprotected too, manifest file shows their script ids. Is there some standard way to accomplish something like this?
Thank you and sorry for the long post.
Issue:
As written in the official help center page,
The feature
only disables the user interface buttons and prevents copying within the app. It doesn't stop users from
or any other methods.
Solution:
Currently the only recommended way to hide script projects is by publishing a addon #7. If that's not an option, You can try basic JavaScript obfuscation/minification.
Issue trackers: