0

User A has some PHP library files. User B needs access to the library. Is it possible permission-wise to make user B able to include the PHP file but not able to view the source code?

User A library entry file is lib.php.

User B uses lib.php in his start.php like this:

include path/to/lib.php;

However user B won't be able to view the content of lib.php or any other class files thereof.

Is this possible?

datasn.io
  • 12,564
  • 28
  • 113
  • 154
  • It would be working if `lib.php` lays down on an external server which User B can't access with edit rights. But he knows the URL then, so he could possible access it otherwise. Why do you need this? – KhorneHoly Dec 22 '15 at 13:51
  • But user B still has view rights? I don't want user B to see the code at all. There are some confidential logics and data made in the library and it will take quite some efforts to separate them out but we don't have the luxury of time. – datasn.io Dec 22 '15 at 13:55
  • It's an normal include then, but the file as it is physically lies on the external server. e.g. `inlcude 'www.example.com/lib.php'`. It will include the file in your script so you can work with it. But you can't look into it either edit it. Except he's getting the file somewhere else from. – KhorneHoly Dec 22 '15 at 13:58
  • Possible.. User A has direct access to lib.php, User B has no access at all, but User B can execute the code as User C which can access lib.php. Now it would be quite simple to break that.. e.g. read the lib.php and send it somewhere. Maybe check this question: http://stackoverflow.com/questions/336057/best-solution-to-protect-php-code-without-encryption – user5542121 Dec 22 '15 at 13:59
  • 1
    Why not just converting that to API? code can't be seen, its on your server, and he is sending curl to your API? best way not to compromise your data. – Strahinja Djurić Dec 22 '15 at 14:00
  • @StrahinjaDjurić as stated in the comments he doesn't have the time to do so, even if it would be the best option. – KhorneHoly Dec 22 '15 at 14:03
  • @KhorneHoly, I'm not sure we can include PHP files via HTTP? – datasn.io Dec 22 '15 at 14:06
  • @kavoir.com [see the manual](http://php.net/manual/en/function.include.php#example-156) – KhorneHoly Dec 22 '15 at 14:07
  • 2
    Impossible: If the php script can read it, the user can have php read the file and echo it out on to the browser or somewhere else. – jeroen Dec 22 '15 at 14:14
  • @jeroen you could echo it or something, but you couldn't edit the origin file – KhorneHoly Dec 22 '15 at 14:17
  • @KhorneHoly True, but that is not what the OP is asking: `... there are some confidential logics and data made in the library ...`. The OP is talking about viewing. – jeroen Dec 22 '15 at 14:20
  • 1
    @jeroen Yeah, you're right, it's impossible without giving User B the chance to at least see the source code. Only possibility would be to write an API. – KhorneHoly Dec 22 '15 at 14:21
  • @jeroen, thanks. How about this then? Let user B just write the code without any `include` at all, say `b.php`, which on its own doesn't run at all since it includes nothing. He will then use his browser to access an URL we made for him and he will specify the file (`b.php`) to run. Upon accessing this URL, our server runs a script as user A that first include `lib.php` and then continues to include `b.php`. Would this approach work? In this approach, does user B have any chance of getting the source code of the library? – datasn.io Dec 22 '15 at 14:31
  • 1
    @kavoir.com That's a horrible way of making your clients write software. How are they supposed to write and debug their program, if they cannot actually run it? – user229044 Dec 22 '15 at 15:25
  • @meagar, they can get the output from the browser. We don't have the luxury of time so whatever works now I would consider. So would B still be able to get the source code in this way? – datasn.io Dec 23 '15 at 00:33

2 Answers2

1

You're trying to find a way to do something that can't be done properly. Maybe in a kind of hackish, definitely dirty way.

You really should consider writing an API for your Application that contains all your logic. Then you could just handle everything else with User permission and so on, perfectly clean and state of the art.

Nobody but the API devs can look into the code, but everyone can use it based on his user permissions.

Every other method could is just to hard to handle and will cause more problems than just writing an API. It's worth the time.

KhorneHoly
  • 4,666
  • 6
  • 43
  • 75
1

Basically what you ask is not possible. The PHP interpreter needs to be able to read the file in order to include it, and if the PHP process can read it then your untrusted user can write some code that would read it in and dump it back out.

A few options you have are:

1) Use an API. Would allow you to keep you code secret as you'd only expose the API. Might take a few days work to implement though (or might not even be possible - impossible to say without knowing what you are doing), so probably not suitable in your situation.

2) Obsfucate your code. There are a number of PHP code obsfucators out there. It wouldn't stop prying eyes completely but it might be enough for your purposes.

3) Create a stub include file. If what your library includes isn't all critical to the running of the code you could create a cut-down stub library for your client to code against, then replace it with the real thing when they've done.

Eborbob
  • 1,905
  • 1
  • 15
  • 30