workspace scope limitations

[tangweisuper]

Feature Description:

I'm building a web ide for developers(It is possible that they are untrusted developers). I hope developers can only see their code（/home/project）.But in fact, theia can go anywhere.

i want this

but i can go there

even /etc

and this result can also be achieved by using the "Add Floder To Workspace" function

I already use filters to disable terminal functions, Is there a way to solve the above problem ?
thx

[msujew]

Hey @tangweisuper,

I've converted this into a discussion, since it's mostly a question and not a feature request.

Essentially, similarly to all other IDEs, Theia is built in a way that allows it to read/open all files that are accessible to the system user that starts the Theia backend process. Changing this behavior is pretty difficult, and even if you change the frontend/file system implementation behavior enough, you still have the issue of users having unrestricted access via the terminal and/or VS Code extensions.

The most common way to solve this is by isolating the IDE from the rest of the system. Most commonly, you would set something up like Theia Cloud or a similar, pod/container based solution. Even if users make their way out of the designated project area, they have no possibility of breaking something for themselves or in the infrastructure as they cannot escape the container.