4

Hi this is more question of code security, rather than a question about a directly coding related problem. But I was wondering is it possible to see the code in ui.R and the server.R and that generates the app web browser page?

e.g. Although I'm sure I could just ask Garrett to see the code...is it possible, without authorisation, to somehow see the code related to this URL http://glimmer.rstudio.com/gsee/TFX/ which is running the a shinny app? As this might be a problem if putting up sensitive data/code etc.

Is there a way to add a secure username and password to shinny apps? so that only selected users can access the app?

I know obviously you can see code that run shinny apps from gists, but was more curious about glimmer apps.

P.S. Garrett (if you see this), im just using your app as a good app example...as it uses glimmer..., and in my opinion its attractive code.

juba
  • 47,631
  • 14
  • 113
  • 118
h.l.m
  • 13,015
  • 22
  • 82
  • 169

2 Answers2

5

As you talk about shiny applications that run on glimmer.rstudio.com, you talk about applications that run on shiny server (in contrary to applications run locally via a call to runApp).

A such, both ui.R and server.R are located on the server, and they are not downloaded to your computer when you run it. Moreover, they seem to be protected by shiny, as if you try to access them via an URL, such as http://shinyserver.example.com/app/server.R, all you will get is an HTTP 404 error.

So, in the same way that it is not possible to access the PHP or Ruby files that power a website or web applications, you can't, for obvious security reasons, access the R files behind a shiny application.

As for protecting access to a shiny application, I'm not sure it is a builtin feature in shiny server yet, but if you run it behind an Apache or Nginx proxy it should be possible to use HTTP authentication for that.

Note : I'm not a shiny expert at all, so this answer could be partially wrong. I just hope not totally :)

juba
  • 47,631
  • 14
  • 113
  • 118
  • 1
    I was potentially considering using the dynamicUI that is offered from the shinny package (http://rstudio.github.com/shiny/tutorial/#dynamic-ui) and doing something simple like if username==x and password==y then carry out the rest of the shinny app, else...say access denied.... but i felt it was perhaps a bit too simplistic...and wanted to ask others to hear their thoughts on it... – h.l.m Feb 03 '13 at 11:36
  • Protecting access to a shiny app is a different question than the one you asked, and I think you should open a new one. – juba Feb 03 '13 at 11:39
  • 2
    Ah I guess it is slightly different, I think I wanted the answer to both questions...,but will post up another question about protecting access to shiny apps. – h.l.m Feb 03 '13 at 11:44
  • 1
    just did in case you were curious http://stackoverflow.com/questions/14672171/prottecting-access-to-glimmer-shiny-apps – h.l.m Feb 03 '13 at 12:03
0

Right now, do not put up sensitive code or data on the glimmer server! It is not secure and any user of the server can access the code/data of other users. A bug report has been submitted and the developers are working on it, to my surprise the server is still online though.

Username/passwords are not going to help with this bug. If you want security, host Shiny Server yourself as the glimmer server is not secure.

Maarten van Vliet
  • 572
  • 7
  • 12
  • 1
    Hi dlib, I'm embarrassed to admit that your bug report e-mail was forwarded to me but I totally missed it, and only saw it now after seeing this S.O. post and searching my e-mail. We've dealt with the problem you reported, however we don't believe that any user code/data was ever at risk. I will follow up with you over e-mail to help establish whether this is true and if there are any more problems to solve at this time. Thank you! – Joe Cheng Mar 25 '13 at 03:38