I have added an image on my grid, and assign script to it. But script executes only when I click on image, and when another user(with reader permission) clicks on image nothing happens. The same situation is with onOpen() trigger - nothing happens when user whith reader permission opens the grid. I understand that editor permission will fix it, but I don't need the user to be able to edit the table, I only need that user be able click buttons(image)/get alive triggers/menus that i create, but not edit anything manually. How can i do this(may be i should give some extended reader permission, or to turn on something in GAS project)?
When users execute a script for the first time, they will get an allow permissions prompt, so they can authorize the script to make changes on their behalf.
However, if the user has viewing permissions over the sheet or file, they cannot authorize the script to run or make changes on their behalf since they cannot make changes to the file. (I found a similar question, with the difference that the sheet was embedded in a website that has some information about why it does work here).
And it's documented in the Apps Script documentation here:
An installable open trigger runs when a user opens a spreadsheet, document, or form that they have permission to edit.
You can also request a feature request to Google asking for an option to allow users with "viewing permissions" to run scripts here.
In this case I think you may give editor's permissions but protect the sheet/range so only you can edit them with this option -->
https://support.google.com/docs/answer/1218656?hl=en&co=GENIE.Platform%3DDesktop#zippy=%2Cprotect-a-range-or-sheet
Let me know if this worked!
Option 2:
Adding to those protected ranges you can too create a Library with your functions in another spreadsheet (or in Google App Script independently) -> read about it here
You can now set buttons/menus associated with those original functions, but I think that this can give you an altenative
For example:
function function1_toOrigin() {
LibraryName.function1()
}
function function2_toOrigin() {
LibraryName.function2()
}
Yes, they'll be able to access to these linking functions but nothing more, I think they won't be that unreliable??
IMPORTANT: If there are modifications to the script you should deploy them again as a new version of the library and update the version in your spreadsheet by double-clicking in your library
Related
I have a complex spreadsheet where most of the sheet is locked and the user can only edit a handful of cells which triggers a bunch of calculations. This used to work fine but the problem now is I have added a drawing which I attached a script to so it acts as a button. Doing this forces the user to have to authorize and now the scripts run as that user so when the script tries to update cells that are locked to the user it fails.
How can I make it so a user can't type into cells, but my scripts can still update them. Basically I want the script to have full access to the sheet, not restricted by user permissions.
Workaround#1 -Service account:
Create a service account
Share your spreadsheet with edit permissions to the service account's email
Install and Use the Google oauth2 library to get Bearer token with necessary scopes(Drive/Sheets/Both). This token can be used to impersonate the service account.
Using the bearer token above, You can directly access the
google-sheets-api using urlfetch
OR use a published webapp(set to execute as "User accessing the app" and "Anyone") to use inbuilt services such as SpreadsheetApp. See Second related answer linked below.
In this case, PRIVATE_KEY of the service account acts as a password to access the spreadsheet with edit privileges. So, exposing it directly in the script editor will give access to any of the editors to access protected areas of the spreadsheet and all service account resources. So, in a way, protected areas are not protected in a absolute way. If protected areas need to be absolutely protected, You may be able to bypass this limitation
using two script projects: a bound one posting data to a unbound one, which is published as a web app and holds the private key. Here, editors can be supplied with passwords to access the unbound script.
Another way is to simply publish a addon, as a addon's source code is never visible to end users.
Workaround#2 - Installable triggers:
Use a installable edit trigger with a checkbox. Users click a checkbox in the unprotected area and script modifies the protected area.
Installable triggers run under the authority of the user who installed it and not as the current user.
They can bypass permission restrictions of the sheet. But this is a double edged sword. Anyone with edit permission will be able to trigger the script. Not only that, they may also be able to access the script editor and modify the script as they see fit. To limit foul usage,
Set the script to run only at a specified version: This can be done by setting the edit trigger manually in Tools > Script editor> Edit > Current project triggers > Add trigger > Select version. Script must have a saved version and be deployed as a webapp(doesn't need to be working).
Avoid providing unnecessary scopes to the script. Limit oauthScopes by editing manifest file. Preferably the only scope provided should be https://www.googleapis.com/auth/spreadsheets.currentonly
Related:
Is there a way to let a user edit another spreadsheet with a script and hide it from him at the same time?
Google App Script execute function when a user selects a cell in a range
I'm coding a script for a spreadsheet. This script creates a menu.
Then by choosing an option in this menu a function (which uses API) will run in order to filter some columns and hide others.
The problem is:
This sheet is protected (because shared with coworkers) but I want to allow people to run the script, which is impossible without the permission.
I already looked at different solutions:
Using a trigger: Doesn't work because a trigger can't correctly call a function which uses API (yes, my functions use API).
Web App: When the script is run from the spreadsheet, the script is run as the current user, not the script editor. (the web app is efficient if the user uses the HTML page.)
Remove protection -> run the function -> Re-add protection: Can't modify the protection without permission, which is logical.
Add the current user in the list editor -> run the function -> Remove the current user from the list editor: Can't modify the editor list without permission, which is logical.
How can I solve this problem?
This is a pain that I have not seen a good workaround. Google should know that in a collaborative environment that the owner would create script and want users to be able to run those scripts while at the same time not messing with formulas or cells that you desire to protect. The only way I have found to solve this on the sheet itself is to Unprotect and then Protect the cell or range you are making modifications to during the script run. Do be mindful that if the script fails in the middle (after you have unprotected it) the cell remain unprotected. Might want to run within a "try" script.
Are you the spreadsheet owner?
If no, you are not authorized to bound an apps script on it.
But you can make a copy of the spreadsheet by duplicate it and save in your drive.
If the spreadsheet is created by you yourself, maybe you created it by another username. If it does, log in by that user and change the sharing option to allow the specific user can edit it.
I've a public Google Sheet (everyone can access it and edit it). In it, I use a script, a function, that download a csv with the UrlFetchApp.fetch(url);.
When an anonymous user access it (without the google login), the user can view, and edit the sheet, but, the user cannot run the script. The user must be logged with a google account to the script do the working.
The stranger thing is that this sheet with this script was working for anonymous users early. This problem didn't occur before a couple weeks ago.
Do you know if the google change something about security or is it an error that I am doing?
In order to run apps script on a particular user's behalf, Google Workspace requires that user's permission, via an OAuth flow.
If a user is anonymous therefore, you can see why this permission cannot be granted, which is why the script won't work for those users.
I guess it is an intended behavior as long as the anonymous user access the sheet via shareable link. As stated in this support page, you might see a name you don’t recognize or "anonymous animals" viewing your document, spreadsheet, or presentation. This can happen when a document is shared publicly or with anyone who has the link.
Limit how people can view your file
If you want to stop sharing a file you can edit, you can learn how to:
Turn off link sharing for a file.
Prevent others from sharing files you own.
Hope this helps.
How can I allow users with permissions of "View Only" the ability to execute an apps script in a spreadsheet?
I've created a custom menu choice triggered by onOpen() that launches the script fine for anyone with edit permissions. However, onOpen() does not run for anyone with only view/comment permissions (consistent with the documentation) and thus the menu is not created and there is no way to launch the script.
Ideally, I would like view only users to view and execute the script, but not modify it.
If executing the script results in modifying any content of the sheet then I think it's reasonable to expect only those users with edit rights will be able to run the script. In view of this I am not sure I understand the question at all.
Ideally, I would like view only users to view and execute the script, but not modify it.
Simple triggers and installable triggers that are able to use SpreadsheetApp.getUi like onOpen and onEdit are executed only for users with edit permissions.
Instead of using a custom menu you could add a link to script published as web app allowed to be accessed by anyone and run. The link could be added to a cell or to an image.
Related
Threads with answers with score > 0
Google App Script - allowing access for anonymous users
Threads with one answer with 0 score
Extend Google Spreadsheets UI with a Google Web App
Google Spreadsheet - Custom menu won't load because onOpen won't fire
I just spend a few days on this and don't believe you can! In order to let an anonymous user execute a web app google app script, you have to set it to "Anyone on the internet with this link can edit" in the app script sharing options. Plus you have to make the sheets the script touches editable by anyone. Plus you have to deploy it as executed by you and everyone has access.
No sir, I don't like it. The app script should be executable without being editable. Google's choice makes no sense, especially considering how difficult they've made it to share content with anonymous users. You'd think they would allow an execute privilege without a modify privilege. (Are opinions allowed in answers?)
I have a script which adds new rows and changes the sheet in some ways.
I'd like to lock this sheet so it cannot be edited manually, but allow the script to be run.
Is there a way to do this?
Yes, it's not the most easier thing to do, but it's possible.
But before we start it's important to understand how Google spreadsheet/sheet protection works.
There's no way to protect a sheet or range from the file owner. So, if you also want to protect a file from yourself (assuming you're the owner). Then the only solution available now (I do hope they change this in the future) is to change the ownership of the file to another account. What most people do is use another Google account that they don't use actively (you can create a bogus easily if you don't already have one).
Then, after you have transferred the file to another account, you can easily lock changes to ranges, sheets or the whole spreadsheet using the regular GUI.
Ok, now to the script. When a script runs, it's always using the authorization of a specific account, and it can do everything that this account can. For example, when someone runs a script directly from the script editor, or clicking on a custom menu or image: it runs under the account of who's clicking. But if you set a installable trigger, then the script always runs under the account of who setup the trigger in the first place (not who's performing the action that actually triggers it). Simple event triggers run as who's triggering the action (you can think anonymously), but they can't do much, it's a security feature (read the link for a better understanding).
Lastly, when one is publishing a script as a web-app, then there's a selection box to choose if the script runs as the developer or the user. Very simple.
Back to the problem. Since we have locked out everybody from the desired sheet/range. For a script to make changes to this locked area, it must run as the file owner!
If the changes you do are automatic, e.g. via a installable trigger, then you're good. Just setup the trigger using the file owner account and that's it. Also, if your users are accessing the script "externally", that is, via a web-app. Then that's easy to, just setup the web-app to run as the developer (the file owner).
The most complicated scenario is if you need to run the script from a custom menu, which will then run under the privileges of who's clicking on it, which themselves can not make changes to the protected area. The solution to this is to deploy the script as web-app running as the developer, and have the function running from the button click to call the deployed url using UrlFetch, possibly passing some parameters to designate what needs to be done. Then, since the webapp runs as the developer (which is the file owner), it can make any changes required, and return (if there's something to return) any value (usually a JSON) to the calling function (which is running as the user and is associated with his session), so you can show him a message on a popup or toaster, etc.
It's kind of tricky but works great, and you can do all that on the same script contained in the spreadsheet. But if you're concerned that your users may access the script editor and change the code (which is possible), than you should separate the web-app part on a different file, that you don't need to share with them.
Yes but only for others not for the script owner. Just use 2 accounts one as the owner and the other one as the reader.