Why do all Google Apps Scripts require so many permissions? This screenshot is from a test script I made. Should I worry that 3rd party apps also have the ability to delete spreadsheets (or emails or whatever app the script is accessing)?
Or is it just to delete the spreadsheet I am working on? Some scripts say all files in Google Drive. Who wants to give any app that much control? In practise, would any 3rd party developer actually go through with this? It almost sounds like giving programmers the ability to hack our accounts? Am I not understanding this?
Here is an example of a 3rd party app. Do they seriously need all those permissions just to send out an email from a Google Sheet? Seems excessive! Can I, after the fact, restrict the permissions as other authors have said, just a few minutes ago?
I don't see the point.
If you created the script from a spreadsheet, you can declare the following (add it the top of your script) to only grant access to that spreadsheet:
/**
* #OnlyCurrentDoc
*/
See also https://developers.google.com/apps-script/guides/services/authorization.
Related
I have google sheets addon in Google Workspace Marketplace. I want to store the emails of the users installing the addon. I'm thinking of three possible ways.
Write to private spreadsheet under the addon account (different than the user's). Addon is running under user's so the question is, is this even possible - accessing the addon account (specifically writing to a spreadsheet) from within the user google account context?
using PropertiesService - Write the user to script properties using PropertiesService class.
One problem with this one is the limitations as explained in Quotas for Google Services.
for me, at lease for now, this is enough.
However the question is how to access those script properties programmatically.
Of course I can access the data from the script editor, but this is not practical if I want for example to send mail to all the users.
adding code to the addon that will be available only for specific users (admin). In this case since I can read the users from the script properties, and maybe write them to spreadsheet to be used later. This looks ugly, I admit.
I'm not asking for code solutions, but suggestions for the right or best approach.
The easiest solution is to create a database
Create a spreadsheet located on your Drive, shared as "Everyne can edit".
Implement a flow where after Add-n installation data containing the user"s email will be appended to the spreadsheet.
This request will take place on user's beahlf, however given that the spreadsheet is shared publicly, there won't be any access permission issues
Even if the spreadsheet is shred publicly - given that the spreadsheet id is not known by anyone other than the Add-on code, you do not need to worry about undesired access to the database.
I have a similar question to both of the questions below. I have a script bound to a google sheets, and I use this sheet as template. However I'm looking for an option to not have to grant permission each time I copy the file.
From reading the answers in the questions below, I understand I have to publish a standalone script as an add-on.
However, reading this answer, I see that I need to create a Cloud Platform Dashboard and all bunch of stuff which looks pretty messy to me, such as google reviewing process. Again, it is only for personal use...
Is there a way I can privately publish it as an add-on, without having to go through all the process?
Thank you
What is the best way to create Container-bound Scripts that can be cloned?
Grant permissions on open for first time for a bound script in Google Sheets
If you don't want spreadsheet hook triggers like onEdit or button or anything else, You can use a standalone script.
A standalone script can be written, which loops through your spreadsheets doing what's needed based on a time trigger.
Adding to the already existing answer
Publishing a private add-on does not require going through the Google Review process, especially since it is for personal use only.
Therefore, the situations below do not require verification:
If you want to deploy the add-on solely for internal use which means that the add on will be used only by people in your Google Workspace or Cloud Identity organization.
If you want to use the add-on domain wide which means that the add on will be used only by Google Workspace enterprise users within the domain.
For the whole list of exceptions from the verification process, you can check this here.
Reference
OAuth API verification FAQs.
I've built a spreadsheet as a form by google script with one button which updates a database(a different sheet) according to the form - btn_pressed().
I want to authorize any google account I give access to - to use the form (activate the google script code), and update the database and send mail (part of the btn_pressed() process).
should I publish the script as a web app? or there's another way to do what I'm looking for
I understand that you want to automatically authorise the script for other users when they come to run the script?
I recently learnt you can only do this with certain triggers such as onOpen() out onEdit(), there is a way round this though. Please see the following link as i asked the question on here myself!
Remove authorisation required for script on Google sheets
I trust that helps
I am using the same (unverified) app script for multiple (around 200) spreadsheets. For each spreadsheet I authorized the script.
Though after a few days it seems like some spreadsheets just loose the authentication and need to be reauthorized.
Can anyone explain why that happens?
This is a recent bug in Google Sheets. If you are logged into multiple Google accounts at the same time, some scripts bound to Google Sheets may require authorization.
However, if you open the same Google Sheet in incognito mode and log into a single Google account, the authorization may not be required.
Have you made any edits to the script? That resets the authorization requirement I believe.
I am using the same (unverified) app script
When running a Google security check-up these will appear as unverified third party apps that you are giving access and if you do not recognize the script name you might be inclined to remove access.
You are an 'unverified third party' even though you wrote the script and own the properties being accessed, a problem when Security checks are done.
As I wrote it and I am the only one that has access to it and it only has access to my properties, I don't know why I would be considered unverified much less a third party.
I have a seemingly simple problem that seems to get more complicated the more I get into it.
I have one spreadsheet document.
This spreadsheet utilizes a google apps script, that in turn utilizes various APIs: Domains, Sites, Spreadsheets...
To use this spreadsheet I have to take a few steps -
Authorize the spreadsheets. This dialog only comes up if I use the
script editor, otherwise the Spreadsheet fails silently.
Enable Domain API in Editor -> Resources -> Advanced Google Services
Enable Domain API in Google Developer Console to a seemingly hidden
project that is attached to my spreadsheet. The only way I can access this secret page is through the Advanced Google Services menu in step #2.
After getting through these hurdles, the spreadsheet now functions correctly without having to use the Script Editor.
Now I want to share this spreadsheet with other users in my company's domain.
Is there any easy way to do this, or will every single user I share it to have to jump through these hurdles as well?
Am I thinking about this wrong? The documentation states the script is 'attached' to the spreadsheet. But the more I get into it, the more separate these two things seem to be. I can share a spreadsheet - but the script won't function properly. I can publish a 'web app' with the script editor - but it won't come with the spreadsheet.
Any help appreciated
Frusteratingly yours...
Other users will have to have the same domain permissions as you do.
An approach you could take is have all the permissions related work done on a script that is published as a web app that will take url parameters (to trigger tasks), which is run as you and accessible to others.
From there, your original script can call the published url and send instructions via parameters.
https://developers.google.com/apps-script/guides/content