Setting up permission for app execution in google apps scrip - google-apps-script

Could somebody please give me some assistance or to refer me to a documentation or an article for the following.
I am developing a web app using Google Apps Script. Is there any way that I can set up the project so the web application could same time:
1)access the data ( gmail, calendar) of user who is running the app,
2)access the data of the app's owner / deployer but only throughout the app (For example I don’t want to give access to spreadsheet data outside the app i.e. I don’t want to share the spreadsheet with an user accessing the app),

Related

Apps Script (Google Sheet) not allowing me to Run Script

I have a fairly simple dataset in a Google Sheet. I created an AutoSort script. I saved it, and when I click "Run," I get the following errors. One from a pop-up, and another from the Execution Log.
Pop-up error:
Authorization required
This project requires your permission to access your data.
*For this error, there is a button to "Review Permissions" and I log in using my google account and then just nothing happens.
Execution Log error:
Warning This project requires access to your Google Account to run. Please try again and allow it this time.
The Owner of this Google Sheet is my personal Gmail account, and I am making these edits and created the script using my business Gmail Admin account. I also tried to access this sheet and run the script USING my personal Gmail account, and received the same error:
Google hasn’t verified this app
The app is requesting access to sensitive info in your Google Account. Until the developer ({mypersonalemail}#gmail.com) verifies this app with Google, you shouldn't use it.
Any insight as to how I can authorize this would be appreciated. It sounds like something small I'm missing.
Also, in my personal email I receive a message with subject:
Review edits to your Apps Script project within your document
and it allows me links to access the worksheet and the script, but I don't see any way to approve the edits, or anything like that.
Expected behavior: What I am expecting is for the script to Run, when I click "Run."
It's not a good idea to mix accounts from different domains, specially when using a free account and a Google Workspace account like you have done because that is the cause of the situation that you are facing.
My hypothesis is that the Google Cloud default project linked to the bounded script is created with the account used to create the project.
If you need that you personal account be the spreadsheet owner the best is to create the script using the personal account, and when needed, create a Google Cloud Standard project (GCSP) using the the personal account. You might try to fix the problem with your spreadsheet and the current Apps Script project by creating a GCSP, as was mentioned previously, by using the account that is the owner of the spreadsheet and linking it to the Apps Script project.
Note: If your script is using sensitive scopes you might have to set the OAuth Consent Screen publishing status to tes and add your Google Workspace account as tester.
Ref: Setting up your OAuth consent screen
Once you have finished the setup of your Google Apps Script project you should be able to use your Google Workspace account to update and run the Apps Script code but any new deployment and new version should be done using your personal account.
If you have access to Shared Drives and are allowed to use them for your spreasheet, consider to move it to a Shared Drive as this will make a lot easier to manage your script.

Authenticate in Sheets Add-on to App Using Google OAuth

I am creating a Sheets add-on that works with our app. Our app uses Google OAuth for authentication.
I have the add-on working with manually configured credentials, but obviously that's not a real life solution. Now I need to have the add-on user authenticate to our app within the add-on itself, so we know whose account to work with.
User has data in Sheets -> user uses add-on to authenticate to app -> add-on uses app's API to push/pull data between Sheets and app for that user
I have tried using our API's login URL to get the HTTPResponse from Google using fetch() and loading it into a sidebar, but aside from it being ugly, it doesn't give me the expected option of choosing the Google account I want, but rather logging in from scratch, and when I enter my Google account, it doesn't do anything other than continue giving me errors about the frame being sandboxed. The threads here and here don't seem to address the issues as they're talking about iframe within the app, whereas I'm trying to use the sidebar in Sheets itself.
The app and the add-on are using the same GCP Project ID.
I need to get the same BearerToken that the app uses to use in the add-on.

Unable to access spreadsheet which is published to the web from appscript

I've written a app script(web app) to access spreadsheet and display it's content based on search criteria.
Web app should display content based on given name
It is working fine with my own gmail account. But when other users(given access for app script web app) tried this app they're seeing error as
"Exception: You do not have permission to access the requested document." It is throwing an error when SpreadsheetApp.openById(spreadsheetId) is executed.
By giving an explicit access(sharing with user) to the spreadsheet, he is able to access the data without any issue.
But as spreadsheet is already published to the web to access by anyone, why should it required again an explicit access to execute spreadsheet.
Is there way to access spreadsheet data without sharing it with the end user? Thank you in advance for the help.
I understand that you published a web app that opens a certain Sheet. In the "Deploy as web app" menu (opened from the Apps Script editor and selecting Publish ⮞ Deploy as web app) you would have been asked to determine how to "Execute the app as". You can choose between these values:
Me: every web app user will open the Sheet as yourself.
User accessing the web app: every web app user will open the Sheet as themselves.
As a consequence of the second case, the users would need previous access to be able to open the Sheet. Since you want to give them access no matter what, I recommend to use the first option. Please, ask me any additional doubt.

Is there a way to build an Google Apps Script application that uses BigQuery Service as a service account instead as a user?

What I trying to do here is an application that connects to bigquery, executes some query and writes a spreadsheet in current user's Google Drive.
I know that I can change the "Execute app as" option when deploying the app. But when I do this, and the user try to use the app, Google asks for permission to access the BigQuery.
I do not want to give permission to each user to access BigQuery.
We have about 50 ~ 100 users who will use (and this number can increase)
Some images:
When access the application's url: http://i.imgur.com/kGzJ3ps.png.
When the user clicks in the "continue" button:
http://i.imgur.com/4cRmhZ6.png
Hope I've been clear.
You would probably need an App, that had people sign in with their Google account using oAuth2
Google Accounts Authentication and Authorization
I think that this link gives an overview of what your options are:
Permissions and Types of Scripts
I guess you would need to have an App, that ran as User at the keyboard, so that the spreadsheet saved to their Google Drive. If you wanted the user to be able to download a file to their computer drive, that's a little different.
Just use HTML Service. It's basically just building a website. You just don't have a domain name. But the spreadsheet you are distributing doesn't have a domain name.
HTML Service Google Documentation
From an Apps Script HTML Service, you can write to Spreadsheets, Documents, and run HTTP Requests (urlFetch).
URL Fetch Service
The permissions in the Apps Script App can be set to run the Apps Script file as yourself, with access to anyone, even anonymous. That way, the user will never be asked for permission for any files that you own. You will need to authorize it once, the first time any script that needs access to your files is run.
Because anyone could run your Apps Script App, you might want to have a log in system to authenticate users.
You would need to use the Big Query API with Apps Script urlFetch to access Big Query.
So, with the HTML Service, you can do most everything you could do with HTML, CSS, and Javascript on a regular website. You can create custom input forms, have different pages and display data in tables. Plus it's served over HTTPS.
One solution that you can use if you don't want all your users to enable BigQuery is to use a webapp deployed as a service running as "you" and that will respond to an urlFetch coming from each user through the script they run as "themselves".
This service will be deployed as any other webapp using a doGet main function and return its data using contentService
Yes, that is possible. Check out this answer here: Using Advanced Google Services with Service Account and also check this awesome library: https://github.com/googlesamples/apps-script-oauth2

Can you access a spreadsheet using the Google Drive API that doesn't belong to you, assuming you are authenticated?

I have a spreadsheet that my client wishes to keep private. They also wish to sell the information that can be calculated using it (its really complicated, with lots of up to date information in it).
My approach has been to create a web application that users can log into. I'm then hoping to make the web application access the spreadsheet using the Google Spreadsheet API.
The problem:
So far everything I'm trying is actually logging me in as a user to access the spreadsheet. I'm concerned that this technique is incorrect: its the web app that should be authenticated, not the Google User.
So, very convoluted, but finally my question: is it possible to authenticate a web app, not a Google user, to access a spreadsheet stored in Google drive? Hence, hiding the spreadsheet from them.
The simple way is for you to make web app proxying spreadsheet with "Anyone with a link" on Sharing setting of Google Drive. Your web app can authenticate buyers and show caching a link read-only spreadsheet link to them.