Beginner question – I have an app script in a Google Sheet (response sheet from a Google Form) generating Google Docs. It is unexpectedly making me the owner of those docs. The business owner is the owner of the form, sheet, doc template, and shared Google Drive folder where the docs are. She has given me edit access to all. She also is shown as the owner of the app script “project” in the sheet. The app script creates a copy of the template doc in the shared folder, and populates it with data from the form. I am the owner of these new documents, why is that? I am only editor of all the components involved. Can I fix it so that she is the default owner of the new docs?
The newly created documents will be owned by the account that runs the script. This is clear enough when you run the script manually, but it also happens when you run it through an installable trigger. The trigger owner will own the files created while the function runs.
Check who owns the 'formSubmit' trigger.
(From your script editor, view your triggers. The left most column will show who the trigger is owned by.) Since your name is appearing as owner, the trigger is most likely still owned by you.
Related
We are using Google Workspace in my company and my boss explicitly shared a Google Sheet with me, so he is the owner and I have edit access. I am trying to create an App Script but when I try to access the Script Editor I always get the screen to request access on Google Drive.
Is it still possible to create a script or I am only allowed to create scripts in sheets that I am the owner?
According to Google's documentation on collaborating:
Access to bound scripts
Only users who have permission to edit a container can run its bound script. Collaborators who have only view access cannot open the script editor, although if they make a copy of the parent file, they become the owner of the copy and will be able to see and run a copy of the script.
So I just came across this issue.
Essentially I had my personal account and company account logged in on Google. For some reason, the Script Editor would try and access in with my personal account and when switching to my company account I would get the request access screen.
After logging out of my personal account I was able to create the script normally.
I have a Master Sheet with only me having edit access to it. I have another sheet (user sheet) where users can add some data that I want them to update my Master sheet only via a script (in the user sheet). Is this possible?
I already have the script that can copy data from the user sheet and knows where to paste it in the Master Sheet.
I could do this easily using VBA in excel but I am very new to Gsheet and using Gsheet scripts. Hope someone can help me please.
You cannot have the user's bound script directly access a Sheet they do not have edit access to. A bound script always runs runs with the permissions of the user at the keyboard.
One possible workaround:
You can create a Google Apps Script web app that has a doPost function that edits your master Sheet. The web app should be published so that it "runs as you", and has anonymous access (which also means you should be careful how to process the requests you receive). In the bound script, you can communicate to your web app through UrlFetchApp, which can send POST requests and give you a response.
The easier way to do this is to have them modify their sheets and then your master sheet reaches out and gets the data from them on a timed trigger. Although making your own webapp would work.
I'm new to the world of Google Apps Script, and I found myself faced with a problem. I've created a script that runs as an onOpen() trigger, but if the spreadsheet file is read-only, this script does not run. I read that, being read-only, it is not able to run it. Is there a way to remedy this problem?
I gave the permissions in edit, blocking all the cells from scripts. I wish people can not see the script, as this allows them to re-run the script and take "power" on the sheet. If I create an API can I keep the sheet read-only?
Any suggestions?
All scripts must run under someone's authority. Under whose authority, a script is run determines whose data is accessible to the script and whether such authority can run the script.
Authorization Concepts:
Scripts which are run from the script editor run under the authorization of user at the keyboard¹. Custom functions runs anonymously. Installable triggers runs under the user created the trigger. WebApps run as per the options selected during deployment.
Simple triggers fire automatically and anonymously under these restrictions²:
The script must be bound to a Google Sheets, Slides, Docs, or Forms file, or else be an add-on that extends one of those applications.They do not run if a file is opened in read-only (view or comment) mode.They cannot access services that require authorization.
Installable triggers must be set up and run under the user who set up the trigger³.
They do not run if a file is opened in read-only (view or comment) mode.Installable triggers always run under the account of the person who created them.A given account cannot see triggers installed from a second account, even though the first account can still activate those triggers.
You can restrict access to spreadsheet, sheets or ranges⁴,⁵.
Deductions:
Mr.A(Owner) has a spreadsheet. The spreadsheet has two sheets 1.Main Sheet and 2. Secret Sheet(Sheet is protected and hidden to be edited only by Mr.A). It also has the following scripts: 1. A simple trigger script(onEdit) to set timestamp as a note in every cell that is edited. 2. A installed trigger (AonEdit()) to send email from MrA's email on every edit. 3. A function(summary()) to create a summary of Main Sheet and send email from user's account to himself(to run manually from script editor). 4. A function to protect the secret sheet(protect()) 5. A simple onOpen() trigger logging Someone opened your sheet. And He gives edit access to Mr.B(a editor). What can Mr.B do?
Mr.B edits cell A1 in Main Sheet:
Simple trigger onEdit is fired anonymously and a timestamp is set on A1 as a note.
Installable trigger AonEdit is fired under Mr.A's authority and a email is sent from Mr.A's gmail.This is not known to Mr.B,though he can see the script itself.
Mr.B,being a cunning person as he is, unhides the secret sheet successfully and attempts to modify it:
Mr.B could not modify the secret sheet,even though he can fully unhide/view it
Mr.B finds the script editor and tries to run the function summary(). This function needs gmail permission. Mr.B is greeted with authorization[¹] for Mr.B's gmail account,so that the function may run. Mr.B grants authorization and the summary is sent from Mr.B's gmail account.
Mr.B cunningly modifies the protect() function to grant himself edit access to the secret sheet. The user at the keyboard is Mr.B. Mr.B's authority is not enough. He's greeted with the following error:
You are trying to edit/remove a protected cell or object. Please contact the spreadsheet owner to remove protection if you need to edit.
Mr.A (Owner) knows about this unauthorized access attempt by Mr.B, He restricts edit access to All sheets. Now, Mr.B even though has permission to edit the spreadsheet, He cannot edit any sheet in the spreadsheet. Whenever he opens the sheet, the simple onOpen() is triggered logging Someone opened your sheet. Mr.B however can run the function summary() even now(If he has the script editor link) to get the summary of the sheet.
Solutions:
as this allows them to re-run the script and take "power" on the sheet.
A user with write permission can enter the script and modify the permissions.
As explained above, That wont be possible. The sheet/range edit permission is maintained even at the script level. However, A potential loop-hole is the AonEdit() function. If Mr.B were to know that Mr.A had set up a installable trigger for AonEdit() function, He can modify the AonEdit() function to say protection.remove(),which will run under Mr.A's authority(Installable triggers run under the person who created it) and thus the protection is removed.
I wish people can not see the script.
You can use a standalone script⁶. You can also use installable triggers[³] with standalone scripts subject to the restrictions of those triggers(such as It'll only run under your authority). Since the script is not bound to the spreadsheet, Editors on the spreadsheet do not have edit/view permission on the script. Alternatively, You can publish a addon⁷/webapp⁸.
I have developed a Google app script where I am generating new google sheet based on a template. After copying the Google sheet, we are changing the owner using setOwner method to specified email address. The requirement is to protect a range thus we use getRange method to select the range and then call protect() method and setDescription to show protect range description.
The issue is we don't want the person who run this script to have edit access. Because s/he is a creator, we tried to change the owner and used removeEditor as well, but it doesn't seem to work.
Thoughts: Is is possible to simuate the File copy run by another user such that the person who is running the script don't have access.
It's not possible to make a protection on such way that the spreadsheet owner will not be able to edit the protected sheet/range.
Bear in mind that only owners and editors are able to run scripts but they can't remove themselves as editors and and editor can't remove the owner.
From https://developers.google.com/apps-script/reference/spreadsheet/protection#removeeditoremailaddress
Neither the owner of the spreadsheet nor the current user can be removed
I wrote a google spreadsheet script incl. html service. Now I like to publish the html service as a survey. Everbody shall see it without registration at google but it should be not allowed to see the results of all participants.
Have you an idea how can I reach this?
I tryed a lot of publish options but I didn't reach my goal. Do you?
Right now, your Apps Script Project is probably bound to the spreadsheet. If the users who are submitting the form, never need to see the spreadsheet, then create an Apps Script file that is not bound to anything, it's "Stand Alone". Then do NOT share the spreadsheet. If you share the spreadsheet, then people who the file is shared with can VIEW the spreadsheet. It is possible to hide and protect sheets and ranges. And of course you can make settings for some users to be able to VIEW the spreadsheet, and others to EDIT.
If you share the spreadsheet file, then everyone it's shared with has VIEW permissions. You can't share a spreadsheet file and not give VIEW permissions. But, if you want some users to be able to see just some sheets in the spreadsheet, and not all the sheets, then you would need to write some code that ran when the Spreadsheet opened, and that code would be hiding and unhiding sheets depending on who opened the spreadsheet. Only users with EDIT permission can unhide a hidden sheet. So, that's an option. You can hide a sheet from anyone. But a user with EDIT permission can unhide the sheet. If you want to hide a sheet from someone with only VIEW permission, (They can't unhide it) then have code run onOpen() that checks the user, checks their permissions and either hides or unhides the sheet.
If the people submitting the form, never need to view the spreadsheet file, then don't even share the spreadsheet URL with those users. Just use the Stand Alone HTML Service as your "front end", "User Interface" with the users who never need to view the spreadsheet.
So, if the people who are using the HTML don't need to ever view the spreadsheet, then don't give those people the URL to the spreadsheet. Give them the URL to the published app. In that scenario, the users of the published app will never see the spreadsheet. The published app is essentially a website, with no real domain name.
The solution for you, depends on how simple or complicated the sharing, editing and viewing settings need to be.
When opening the script file, you need to use the Publish >> Deploy as web app option.
Then, choose the version you want to deploy as webapp or create a new one, set the app to execute as you, and add access to anyone (even anonymous). Like this:
The important thing is that the function that's called when someone access the URL that's shown for your web app, is a function called doGet(). So you must rename the function you use to display the UI and Form to doGet(). This function should return a valid HTML Output (normally using the HTMLService or the deprecated UiApp service).
So this:
Gets you this: