Good day, folks!
I am creating folders using API v3 files/create https://developers.google.com/drive/api/v3/reference/files/create.
I execute two similar requests with body:
{
"folderColorRgb": "#AC725E",
"description": "Folder description",
"name": "MyColorfulFolder",
"parents": [
"<my parent id>"
],
"mimeType": "application/vnd.google-apps.folder"
}
The only major difference (except folder name being unique, of course) that the first request is coming from a service account, while another one from my personal account.
It seems that the folder color is set only for the account that invoked the request thus the other accounts don't see the color.
I am wondering, if there's a way to enforce the folder color-coding for all users?
Thank you!
According to the Google documentation, all changes or customization you make to the folder colors are only to your view:
You can customize the color of folders and shortcuts to folders in your My Drive and shared drives. If you change any colors, it only applies to your view in Drive.
Therefore, enforcing a color code in folders doesn't seem possible at the time.
The only way this seems almost feasible is if you have Google Workspace subscription and use a service account for 'user impersonation', then impersonate each user in the organization and apply the same color to your target folder(s).
References
Change color of your foder- Google Drive
User impersonation using a service account - Google Workspace
Related
I am developing an application that interacts with Google Drive and will work as follows: When a user adds/modifies a file in Drive Share, my application will receive a notification and I will handle it. I did the development locally using Auth2 authentication and everything works perfectly, but this application will be hosted on a Cloud Functions and because of that I am not able to use Auth2 authentication, as user consent is required.
Due to this problem, I went to the perspective of using a Service Account, where I added it as the manager of my share drive, used it to create the function, and gave it all the necessary permissions, but when I modify a file, the my endpoint that was supposed to receive the message, just doesn't.
I did a search and saw that it's due to the service account not having access to user data, so it makes sense that no notification would be created.
Below I am attaching the code I am using to create the watcher on the drive and the authentication process by SA:
Code responsible for get credentials to authentication
SCOPES = [
"https://www.googleapis.com/auth/drive",
"https://www.googleapis.com/auth/drive.file",
"https://www.googleapis.com/auth/drive.readonly",
"https://www.googleapis.com/auth/drive.metadata.readonly"
]
credentials, project_id = google.auth.default(scopes=SCOPES)
credentials.refresh(req.Request())
Code responsible for creating the watch
drive = discovery.build("drive", "v3", credentials=credentials)
params = {
"kind": "api#channel",
"id": "id_watcher",
"type": "webhook",
"address": "address cloud functions"
}
# r = drive.changes().watch(fileId=file_id, body=params, supportsAllDrives=True, supportsTeamDrives=True).execute()
r = drive.changes().watch(pageToken=1,
body=params,
driveId=driverId,
includeCorpusRemovals=True,
includeItemsFromAllDrives=True,
includePermissionsForView=None,
includeRemoved=True,
includeTeamDriveItems=True,
pageSize=None,
restrictToMyDrive=None,
spaces=None,
supportsAllDrives=True,
# supportsTeamDrives=True,
# teamDriveId=driverId
).execute()
My question would be if there is a way to use Auth2 without the need for user consent, that is, without the step of opening the browser and allowing the generation of the token. If not, can you help me with a method that might work?
Remembering that this code will be in a cloud functions.
Thank you very much!
Two suggestions, one for the user consent scenario and one alternative for the notifications:
Domain Wide Delegation and Impersonation
If you are using Google Workspace and building the application for the organization. You can use Domain Wide Delegation if you are utilizing Service accounts. This would allow you to start the process of impersonation and avoid the consent of the users.
As suggested by the official documentation you can also apply and review the ways to grant the service account with the option to impersonate users.
Generating Notifications
Another suggestion could be utilizing Pub/Sub or push notifications to have your alerts. You would be able to utilize the Service account and your code and get the notifications and have them similar to an Audit log:
The image is a sample of a Gmail APi for watch and list.
References:
https://cloud.google.com/pubsub/docs/overview
Google Drive API - file watch does not notify (webhooks sample)
With the recent security update for Drive document URLs and resource key https://developers.google.com/drive/api/v3/resource-keys it's not clear how to get the resource key using the API. For instance the create method doesn't return resourceKey, only id :
drive.files.create {
resource: fileMetadata
media: media
fields: 'id,resourceKey,shortcutDetails'
}, (err, body) ->
...
The security update needs to be applied in order for the resourceKey to be useable to you.
To apply the security update:
From the Admin console Home page, go to Apps and then Google Workspace and then Drive and Docs.
Click Sharing settings and then Security update for files.
Choose how to apply the update:
-Apply the security update to all impacted files
-Remove security update from all impacted files (not recommended)
(Optional if applying the update) To let users remove or apply the update to files that they own or manage, check the allow box.
If you made any changes, click Save.
Reference:
Decide how to apply link-sharing security update to Drive
See: Is it possible to share a file publicly through Google Drive API
Using the information above, If I attempt to set the necessary permission for a specific file, I receive the following:
Error calling POST https://www.googleapis.com/drive/v2/files/{somefileid} permissions: (403) Insufficient permissions for this file
This error only occurs for google accounts tied to a google apps for edu setup where the admin has unchecked the option Google Apps -> Settings for Drive -> Share Settings -> Outside this organization: "Allow users to publish files on the web or make them visible to the world as public or unlisted files"
Using the Permission feed works fine otherwise, but ideally I would like to know if there is a way to check for this setting beforehand, instead of catching the 403 exception from the drive service.
You can use the About.get() endpoint to get details about the user's Drive, including this sharing setting. The field domainSharingPolicy can have the values allowed, allowedWithWarning, incomingOnly and disallowed. The first two in that list should allow publishing outside the domain, while the second two should not.
I have created a service account for use with the Google Drive API as outlined here:
https://developers.google.com/drive/delegation
After all the reading I've done, my impression is that this service account should act on behalf of the actual account which is part of the Google Apps for Business domain being used.
With that, I would expect that no special permissions would be needed to be dealt with when dealing with Google Drive folders. However, after authenticating and trying to list the contents of a folder, nothing is shown.
If I add the service account email address specifically to the "share" list for the folder, everything seems to work as intended. I can list the files in the folder using the API.
My question is, is this the way it's supposed to be or am I missing something that would allow the service account to access folders on behalf of the actual account without having to specifically add the service account email address to the share list?
Thank you for your time.
You need to impersonate the user with his/her email. Go through the steps explained on https://developers.google.com/drive/delegation and use the snippets below for further coding reference.
We have a google corporate account and need to transfer ALL of a user's google drive files to another account in certain instances. We want to do what is described at the following link for "all files" but programatically via the latest Drive API http://support.google.com/a/bin/answer.py?hl=en&answer=1247799
We are currently using the following API version(s) below, coupled with domain wide authority delegation as described at https://developers.google.com/drive/delegation and are able to see a user's files, iterate over them etc.
google-api-services-drive 1.14.2-beta
google-api-client 1.14.1-beta
My question is this: it appears that the only way to change permissions is by fileId by fileId etc. Instead of having to traverse and iterate over an entire set of user's files, if we just want to transfer ALL of a user's files to another particular user: is there a way in the API to do this (ownership transfer for ALL files) rather than individual requests file/by file?
Also when transferring ownershisp, must the transferee be in the same #domain or can it be another #domain we manage? I read somewhere that you can only transfer to owners in the same domain. Does this still hold true? For instance we manage #myCompany.com and have our corporate account registered under that, however that shell account has several sub-domains within it. We would like to transfer files from users in the sub-domains to a central user in the #myCompany domain.
You need to change permissions file by file, there is no updateAll type of functionality at the moment.
You cant transfer the ownership to another domain's user. Ownership can only be transferred to another user in the same domain as the current owner.
This answer doesn't directly answer your question, but it could be helpful for both you and future visitors.
As of now, you can mass transfer files to new users with Google's new Admin console. It doesn't let you filter for specific folders, but it does allow you to transfer all of one user's Drive files to a second user.
I know you were trying to create something which uses the API to iterate through folders and files, and you probably have a very specific use-case in mind. However, in the case where you have employees leaving, or you need to transfer everything, using the following method is fast and simple.
Open the Google Admin console
Go to Google Apps > Drive
Click on "Transfer ownership"
Fill out both user fields and submit
This process will even email both users once the process is completed.
You can do this with a single call to the Data Transfer API
Exactly what is needed but only with API!
Open the Google Admin console
Go to Google Apps > Drive
Click on "Transfer ownership"
Fill out both user fields and submit
This process will even email both users once the process is completed.
If this is not possible via API calls, then there is no point deleting a user using API.