Authorization scopes for spreadsheets - google-apps-script

I have created a standalone Google Apps Script (it does not belong to any document). The script get triggered automatically at some fixed intervals. This script
creates a couple of folder (if they don't exist)
creates a Google spreadsheet (if it doesn exist). Read said
spreadsheet.
update calendar events
I noticed that when I first run it, it asked for permissions to read, delete all Google Drive items, all spreadsheets and all calendar events
I work on tailoring the scopes required and at least Google Drive does not have those broad permissions. I am still unable to reduce the scope for Google spreadsheet (And also calendar).
An expert #TheMaster made a post some years but is not exactly the same case.
I tried changing the scopes but the editor complained and requested that to use openById I need to change the scopes back

Ok, I ended up changing how my solution was structured.
Before Script lived outside the spreadsheet
Now script lives inside the spreadsheet. I am now know doing scopes directly on the manifest and using onlycurrentdoc.

From https://developers.google.com/apps-script/guides/services/authorization#manual_authorization_scopes_for_sheets_docs_slides_and_forms
Manual authorization scopes for Sheets, Docs, Slides, and Forms
If you're building an add-on or other script that uses the Spreadsheet service, Document service, Slides service, or Forms service, you can force the authorization dialog to ask only for access to files in which the add-on or script is used, rather than all of a user's spreadsheets, documents, or forms. To do so, include the following JsDoc annotation in a file-level comment:
/**
* #OnlyCurrentDoc
*/
Besides the above, look at each method reference documentation at the https://developers.google.com/apps-script/reference. At the bottom of the corresponding section you will find a list of the scopes that might be u sed for each method. Some methods have more than one scope, choose the one that better fits what you need.
Related
How to narrow scopes for Google Apps Script to specific files
References
https://developers.google.com/apps-script/guides/services/authorization
https://developers.google.com/identity/protocols/oauth2/scopes

Related

How can I Find All Uses of a Google Script Library?

I have a Google Script library that is used by at least 100 other scripts (some that are bound to spreadsheets/documents, some that are not). How can I find all of these client scripts that reference my library script?
More specifically, I need to be able to add a new feature into the library that requires new permissions that I (the user) must grant. The client scripts won't run if I just add this feature to the library without granting the permissions to each of the client scripts. So ultimately, I need to give this new permission to each of the clients. And if I knew what scripts were actually using this library, I could do that manually for each one. But I need to URL's or ID's or something for each of those scripts.
Answer:
Unfortunately this is not possible to do.
More Information
It is possible to get a list of standalone Scripts from your Drive, though scripts bound to a file can not be searched for using regular searching methods.
It is possible, using the help of this Google Account page to get a list of all the Apps that have access to your account, though only files you have authorised will appear here, and apps which are not just those created by you in Apps Script will appear there (for example, other add-ons or even Android Apps bound to your account appear here).
A Partial Workaround:
Using Google Apps Script, you can list all Apps Script Projects that you own with help of the MimeType enumeration GOOGLE_APPS_SCRIPT
var scripts = DriveApp.getFilesByType(MimeType.GOOGLE_APPS_SCRIPT);
var arr =[ ];
while (scripts.hasNext()) {
var script = scripts.next();
arr.push(script)
}
Logger.log(arr);
Or even just searching for type:script in Drive, however this only returns a list of scripts that are not bound to a file.
You can then use regular Google Drive search terms to find which of these files contain, for example, a unique method name that the library uses. I am aware this isn't a perfect solution and you would still have to look for projects bound to a file using the above webpage.
Feature Request:
It appears that back in 2014 a feature request for this was made on Google's Issue Tracker, though I would suggest creating another feature request for this here as it was marked as a duplicate of another issue. You can make a feature request under the correct Apps Script component here.
References:
Google Apps Script - Enum MimeType
Google Drive Search Query Terms
Apps with access to your account
Google's Issue Tracker
Feature Request: Listing and searching for container bound scripts
Create an Apps Script Feature Request

How to narrow scopes for Google Apps Script to specific files

Main Issue:
I have two Google spreadsheets: a template and a master.
The template is sent out to people to make a copy of, fill in, and then I have a script that copies their tab to the master spreadsheet.
Currently the authorization is very broad- to view, edit, delete all of the users' spreadsheets. Since only two files are involved, I'd like to narrow the scope to just those two, mainly because the authorization process looks sketchy to the users right now.
Is there a way to limit scope to specific spreadsheets vs all spreadsheets?
What I've found/researched so far:
It seems that you can easily only limit scope to the current file, or demand access to all spreadsheets.
I've found two methods:
1) current only
Add this to the top of the script:
/**
* #OnlyCurrentDoc
*/
This means that I can't copy the tab to the master spreadsheet.
2) Set Explicit Scopes
Go into the manifest as described here:
https://developers.google.com/apps-script/concepts/scopes
Seems that this also only allows for current file only or full spreadsheet access.
Similar Questions:
Others have asked similar questions but haven't gotten an answer to this specific issue where there are multiple specific files in question.
How to use narrower Google Apps Script Authorization Scope when accessing file from own drive
How to narrow down the auth/drive scope for a google apps script?
Code and potential ideas:
I haven't tried whitelisting- could that help? Would I whitelist the master spreadsheet on the template?
The authorization when I tried '#OnlyCurrentDoc' defines the permission as 'View and manage spreadsheets that this application has been installed in'. Can I install this application in my master spreadsheet and have them talk? Any ideas?
//this is pretty much the only applicable code:
var admin_ss = SpreadsheetApp.openById([ID]);
var this_ss = SpreadsheetApp.getActiveSpreadsheet();
Possible approaches:
CurrentOnly scope:
https://www.googleapis.com/auth/spreadsheets.currentonly
You can install it in many sheets as a add-on by publishing your script OR
Publish a web-app in the master spreadsheet. You can create a doPost() function to receive and authorize any request to write to the master spreadsheet from the slave spreadsheets.
Drive.file scope:
https://www.googleapis.com/auth/drive.file
You can use this scope to access any file created/opened with this project.
You can create a web app to execute as the user and to create a slave spreadsheet from the master spreadsheet. Master needs to be shared to the user OR
Use Google picker/web app to make the user manually choose/open the master/slave spreadsheet to provide access to the app to only those sheets.
References:
Add on current only scope
Web app guide
OAuth scopes list
Google Picker

Google App Scripts cannot be given Authorization or Permission

Why am I not able to give permission/authorization to a Google Apps Script that I also made using the same Google account?
It seems like Google doesnt trust myself to use my own Google Apps Script with my own Spreadsheet.
Here is the line of code that breaks everything. If this line doesnt exist, I'm not asked for permission.
var sheet = SpreadsheetApp.getActiveSheet();
So it's trying to access the spreadsheet that created this Google Apps Script, also made using my account but I cant grant permission.
When I run the line of code above, I am told I need to give permissions, so I do by selecting the account name I am already logged into. I am greeted by this error,
This app isn't verified
which unfortunately does not provide competent documentation to troubleshoot.
Any feedback or help would be much appreciated! Thanks!
Click on the "Advanced" link and you'll be able to authorize your script.
To reduce the scope of permissions you request, you also have the option of declaring your script project to be only able to interact with the bound document:
/* #OnlyCurrentDoc */
function myFunction() {
...
This declaration is incompatible with some methods (such as SpreadsheetApp.openById()), and using an incompatible method results in an error in the application execution.
Successfully adding it to your project is generally sufficient to remove the "This application is unsafe" layer of the authentication flow, meaning the authorization and permission list is not hidden behind the "Advanced" tab.
In addition to declaring as current document only, manually editing the requested scopes of your project in its project manifest can help reduce the perceived threat from an unverified application (for example, retaining only the "read_only" version of certain scopes, where applicable). Apps Script documentation offers more details on project manifests.

Determine Script Authorization Requirements

I have a script associated with a spreadsheet which requests Authorization. When granted and I look at the Permissions associated with my account the script has the following:
Has some account access, including Google Docs
Google Docs
View and manage your documents in Google Drive
View and manage your spreadsheets in Google Drive
Additional access
View and manage your forms in Google Drive
I am surprised it is going to this level as all the function calls I am seeing are either getting an active item or getting the sheet by name (not the file, a tab inside the file). Outside of an HTML service form, there is nothing I see which should call a Google Form item. Nor do I see anything about a Doc. Just Spreadsheet items.
Is there any way to determine where the various authorized access items are IN the code without trial and error?

How to share a Google Spreadsheet that utilizes Google App Scripts within a company domain?

I have a seemingly simple problem that seems to get more complicated the more I get into it.
I have one spreadsheet document.
This spreadsheet utilizes a google apps script, that in turn utilizes various APIs: Domains, Sites, Spreadsheets...
To use this spreadsheet I have to take a few steps -
Authorize the spreadsheets. This dialog only comes up if I use the
script editor, otherwise the Spreadsheet fails silently.
Enable Domain API in Editor -> Resources -> Advanced Google Services
Enable Domain API in Google Developer Console to a seemingly hidden
project that is attached to my spreadsheet. The only way I can access this secret page is through the Advanced Google Services menu in step #2.
After getting through these hurdles, the spreadsheet now functions correctly without having to use the Script Editor.
Now I want to share this spreadsheet with other users in my company's domain.
Is there any easy way to do this, or will every single user I share it to have to jump through these hurdles as well?
Am I thinking about this wrong? The documentation states the script is 'attached' to the spreadsheet. But the more I get into it, the more separate these two things seem to be. I can share a spreadsheet - but the script won't function properly. I can publish a 'web app' with the script editor - but it won't come with the spreadsheet.
Any help appreciated
Frusteratingly yours...
Other users will have to have the same domain permissions as you do.
An approach you could take is have all the permissions related work done on a script that is published as a web app that will take url parameters (to trigger tasks), which is run as you and accessible to others.
From there, your original script can call the published url and send instructions via parameters.
https://developers.google.com/apps-script/guides/content