I'm looking to switch all domain-shared files from "Shared with Domain" to "Shared with group". I'm trying to identify whether a permission on a GDrive file (not from Shared Drive) is inherited or not. However Drive V3 API does not appear to expose permissions/permissionDetails attribute in same way as Shared Drives. Is there an efficient way to get the "inherited" status of a permissions? Trying to avoid having to walk the folder hierarchy.
Background on use case: We have decided that shared to domain is overly broad as the company grows. We have many consultants and contractors who should not see everything in the firm. We want to switch from Shared to domain to Shared with groups to better manage least privilege. We are aware that we cannot change UI at this time.
Answer:
There's no direct way to get the inherited status of file permissions in Drive API.
Explanation:
permissionDetails is only available to shared drive items, and neither Permissions nor Files include any additional fields regarding inheritance.
Therefore, I don't think you can use inheritance to filter out the files to update.
Feature request:
There's a feature request in Issue Tracker related to this:
Sharing permission inheritance details not mention in API
You could consider starring it in order to keep track of it and to help prioritizing it, but since it hasn't had much activity, I'd strongly suggest you to file a new one using this template.
Related:
Permission details are not returned in Google Drive API V3
Google drive api v3 permission details
Related
I need to edit Google Drive files created with my nodeJs webapp and owned by me or shared with me.
Using "https://www.googleapis.com/auth/drive/file" scope I can edit files owned by me.
To edit also files shared with me I must use "https://www.googleapis.com/auth/drive" scope. But this scope sends a very scary message to users on login: "This wil allow xxx to: see, edit or delete all of your Google Drive files" (bold is mine).
I don't want to delete your files and I don't want to edit all of your files: is there a way to reach my goal with a less scary scope?
The only alternative to the drive scope, if you want to edit the files, is drive.file, which gives access to files that you have opened or created with the app (ref).
Since this is not an option for you, I'm afraid you'll have to use the scary scope.
Feature request:
Considering your situation, I think you might be interested in this Feature Request, regarding the possibility to restrict access to a specific folder. I think that could be very useful for you if it got implemented. I'd suggest you to star that issue, both to keep track of its development and to help prioritize its implemenation:
Drive Restrict access to folder when authorizing applications
Related:
Google Drive API: 404 when accessing file someone else created
Google Sheet OAuth scopes to only access a few files?
We would like access to a client’s folder within their Google Drive and all files under that folder. This can either be a folder we create from the app or a folder the client picks.
The first approach I tried was to create the folder from the app.
The problem is that I am only able to list the folder itself, but NONE of the content. https://developers.google.com/drive/api/v3/folder
The second approach was to use the Google Picker API. There the
client can choose which folder(s) to give us access to. However we
can only get access to the folder, and none of the children
folders/files. https://developers.google.com/picker/docs
This seemed like an easy and straightforward use case. But can’t seem to find a solution in their documentation, or maybe I don’t comprehend some of the logic. A solution would be a way to either propagate the permission to all the files included in the folder it get’s picked or created… or to have the picker select all the children.
My preference is to continue with the Recommended scope https://www.googleapis.com/auth/drive.file . And it might be that the folder contains thousands of individual files multiple levels in, so it’s not a solution to manually pick the files. Any thoughts on this would be greatly appreciated, thank you!
A possible solution for your situation...
Is to create the folder in a shared drive.
Therefore, even though new files are added/updated/removed you will still be able to see all the updates and retrieve the information needed as you will have constant access to this folder.
Another solution which is more cumbersome...
Is to ask for user's permission and to re-authorize the application each time they are using it so in the case a new file is added you will have access to it.
Reference
Drive API v3 shared drives;
Drive API v3 manage shared drives.
The first approach I tried was to create the folder from the app. The problem is that I am only able to list the folder itself, but NONE of the content. https://developers.google.com/drive/api/v3/folder
The issue is probably the scope you authorized the user with. If you authorized with read only access your not going to be able to create you need full drive access to do that.
If you are using https://www.googleapis.com/auth/drive.file then you should create a folder with that and then create a file in the folder that i believe should work.
The second approach was to use the Google Picker API. There the client can choose which folder(s) to give us access to. However we can only get access to the folder, and none of the children folders/files. https://developers.google.com/picker/docs
There is no way to request access for a single folder or files. Its all or nothing really unless you use the https://www.googleapis.com/auth/drive.file scope which would only give you access to the files that your application created.
The product I'm working on currently uses the scope "https://www.googleapis.com/auth/drive" (which is now "restricted" by Google), which gives full read and write access to a user's Drive account, including app metadata. But we only need read access to list all files and folders inside a specific folder, and we need to be able to download those files, that's all.
Google Drive API will soon apply the new "restricted" scope policy (https://support.google.com/cloud/answer/9110914#restricted-scopes), which will require us to go through a very expensive audit (tens of thousands of dollars...). Is there a possible workaround to get 'read-only' access on a specific folder, and avoid the audit (note that https://www.googleapis.com/auth/drive.readonly is also a restricted mode)?
I'm aware of the "https://www.googleapis.com/auth/drive.file" scope (which is "recommended" by Google, so no audit required), which almost solves this problem. But we have thousands of users bringing in data from multiple Drive Folders, and pushing new files daily. This scope would introduce a manual step for a client each morning to have to "approve" every new file, and this would be a big scalability/usability problem.
Ideally, I would like Google to add a new scope, like a read-only access to anything inside a folder, before they go forward with their audit... but i doubt that this will happen soon.
Does anyone know of a better option?
[EDIT] For reference, here is the list of scopes and we can see which ones are "restricted", "sensitive" and "recommended" : https://developers.google.com/drive/api/v2/about-auth
Solution
Hi! So after taking a better look at this it seems that restricted scopes do NOT require any paid audit. The main difference is that they will have a wider access to user's data and thus it requires you to go through a restricted scope verification process.
You can use these restrictive scopes (the one that best fits your application) without the need of paying any audit. See more information about how to implement restrictive scopes here.
I'm trying to implement a shared filespace on an existing server that has its own login/authentication system. I'd prefer if I could use Google Drive or One Drive as the actual backing file store since then the files could (ideally) be edited in browser and automatically update for everyone else that has access to the shared area.
Diagrammatically (red link = existing authorization, red dashed line = desired auth in a session):
The need for this weird scheme stems from usage by a group where almost the entire set of members gets replaced each year (university committee). It was decided we don't just want to use a Google Drive folder since these end up in people's personal Google Drive folders, files get lost of cleared out etc. Additionally we already pass through this website quite regularly so it makes sense as an official repository of committee documents.
However this leaves me stuck with the issue in the diagram. I don't think that the server can create new, temporary tokens for a logged in user for them to pass to the Google Drive API to edit files. The question is really, can I get the Google API to do this for me somehow by only talking to the server? If not, what's the best way to implement this?
Thanks!
We are having issues where sometimes a file that a user can access is not returned when the user issues a files.list. This can happen in many ways. For example, new members of a Google group will not see previously shared files, as described in this question. Moreover, acording to Google documentation there are other limits on sharing which can prevent shared files from appearing in the "Shared with me" view. Finally, a user can issue a files.delete on a file she doesn't own, and the file will disappear from files.list but will still exist.
What can a user do via the SDK alone to cause a file which she can access via files.get to appear in the list of files retrieved via files.list? We are using a service account which impersonates users; the user never authenticates to Google via a browser. A link in an email that the user needs to click won't work for us, unfortunately. Accessing the file via the Google Drive UI has the desired effect, but the analogous files.get call does not.
The Google Calendar API explicitly exposes a CalendarList interface where a user can issue an insert to add an existing calendar to her list. The Google Drive SDK seems like a hybrid Files/FilesList interface with some of the functionality missing (nothing like FilesList.insert) and some of the functionality mixed together (issuing a delete as a non-owner acts like FilesList.delete but issuing it as the owner acts like Files.delete).
If we can't manage the user's files list programmatically then it is not useful for our service. We could ignore the files.list call entirely and just start recursively performing children.list queries on all shared folders, but this is incredibly expensive (unless someone knows how to issue a single query which returns all the Files resources in a folder and not just the IDs of those resources).
Any help would be appreciated. We've been trying this many different ways and have been frustrated at every turn. Thanks!