Bypass verification for GAS bound to a Sheet? - google-apps-script

Is it possible to bypass the verification process or at least the VERY SCARY "Go to (unsafe)" in tiny letters next to "BACK TO SAFETY"?
I sometimes have a shared Google Sheet that is meant to be used by a volunteer organization (think neighborhood HOA or PTA, etc) and I add Apps Script to add menus to assist with adding or editing information on that Sheet only. I don't request any user information and I'm not using the script to access the users Drive or Gmail or other sheets.
I haven't been able to find good documentation on this, but I can't tell if the Verification requirement stems from:
The fact that there is a script running at all
Some call I'm making to an API that is sensitive (and maybe I really am getting access that I don't realize?)
Use of HTML forms
If it's the 2nd that could mean some changes could render my scripts harmless - Fyi a possible culprit is the use of SpreadsheetApp. I use that to access .getActiveSheet(), .getActiveSpreadsheet(), .getUi().showModalDialog(), .Dimension.ROWS, .getActive().getSpreadsheetTimeZone(), .getUi()
.createMenu()

Related

how to store the email of the google app script installing users

I have google sheets addon in Google Workspace Marketplace. I want to store the emails of the users installing the addon. I'm thinking of three possible ways.
Write to private spreadsheet under the addon account (different than the user's). Addon is running under user's so the question is, is this even possible - accessing the addon account (specifically writing to a spreadsheet) from within the user google account context?
using PropertiesService - Write the user to script properties using PropertiesService class.
One problem with this one is the limitations as explained in Quotas for Google Services.
for me, at lease for now, this is enough.
However the question is how to access those script properties programmatically.
Of course I can access the data from the script editor, but this is not practical if I want for example to send mail to all the users.
adding code to the addon that will be available only for specific users (admin). In this case since I can read the users from the script properties, and maybe write them to spreadsheet to be used later. This looks ugly, I admit.
I'm not asking for code solutions, but suggestions for the right or best approach.
The easiest solution is to create a database
Create a spreadsheet located on your Drive, shared as "Everyne can edit".
Implement a flow where after Add-n installation data containing the user"s email will be appended to the spreadsheet.
This request will take place on user's beahlf, however given that the spreadsheet is shared publicly, there won't be any access permission issues
Even if the spreadsheet is shred publicly - given that the spreadsheet id is not known by anyone other than the Add-on code, you do not need to worry about undesired access to the database.

Turn OFF “Authorization is required” for Google Sheets Script for own team

We are a small company which just switched from paper to tablets (Surface GO Win10 Home) and we have one particular sheet which is used for every order (about 100 orders per month). This Google Sheet acts as a template for every single order and includes some easy code which is written in a bound Apps Script project, to handle things like switching the status from started to finished, copying some cells etc.
My problem is, when someone of the team wants to use the created "buttons" in the sheet to activate the script, it asks for authorization for the script the change the sheet. If you enable it, everything works fine but then for every new order you have to enable it again, and again, and it gets really annoying for every team member.
I tried somehow to
turn it off in the security options as administrator
tried it in the GOOGLE CLOUD PLATFORM under API's and services
tried to make the code somehow public in the script editor options
...but nothing seems not to work. I used VBA programs a lot in Excel VBA but it was more a hobby and I'm not a computer scientist, otherwise it would maybe be easier to solve this problem.
Is there an easy way so every one of my team can work with the sheets created out of a template without any request from Google for authorization every time.
Kind regards.
The reason for the popups is that Google Apps Script is not part of Google Sheets itself, it's a separate application that uses OAuth 2.0 to get the permissions to make the requests by calling the APIs. The popup shows the scopes you are authorizing for. This means that you can't disable that.
Note that apps script could do more things that just edit the spreadsheet itself; it could get other files, get your personal information, call external servers, etc. Also, the authentication process will only happen once per file.

Authorized App Script needs to be requthorized

I am using the same (unverified) app script for multiple (around 200) spreadsheets. For each spreadsheet I authorized the script.
Though after a few days it seems like some spreadsheets just loose the authentication and need to be reauthorized.
Can anyone explain why that happens?
This is a recent bug in Google Sheets. If you are logged into multiple Google accounts at the same time, some scripts bound to Google Sheets may require authorization.
However, if you open the same Google Sheet in incognito mode and log into a single Google account, the authorization may not be required.
Have you made any edits to the script? That resets the authorization requirement I believe.
I am using the same (unverified) app script
When running a Google security check-up these will appear as unverified third party apps that you are giving access and if you do not recognize the script name you might be inclined to remove access.
You are an 'unverified third party' even though you wrote the script and own the properties being accessed, a problem when Security checks are done.
As I wrote it and I am the only one that has access to it and it only has access to my properties, I don't know why I would be considered unverified much less a third party.

Google Script and Anonymous user in Google Sheet

I've a public Google Sheet (everyone can access it and edit it). In it, I use a script, a function, that download a csv with the UrlFetchApp.fetch(url);.
When an anonymous user access it (without the google login), the user can view, and edit the sheet, but, the user cannot run the script. The user must be logged with a google account to the script do the working.
The stranger thing is that this sheet with this script was working for anonymous users early. This problem didn't occur before a couple weeks ago.
Do you know if the google change something about security or is it an error that I am doing?
In order to run apps script on a particular user's behalf, Google Workspace requires that user's permission, via an OAuth flow.
If a user is anonymous therefore, you can see why this permission cannot be granted, which is why the script won't work for those users.
I guess it is an intended behavior as long as the anonymous user access the sheet via shareable link. As stated in this support page, you might see a name you don’t recognize or "anonymous animals" viewing your document, spreadsheet, or presentation. This can happen when a document is shared publicly or with anyone who has the link.
Limit how people can view your file
If you want to stop sharing a file you can edit, you can learn how to:
Turn off link sharing for a file.
Prevent others from sharing files you own.
Hope this helps.

Limit Spreadsheet Access to Scripts

I'm attempting to create a poor-man's ticketing system through the use of Google Sheets and bound scripts, but I don't know of any way that I can limit interaction with the spreadsheets to the scripts attached to buttons. I want to be able to share this sheet and have other users interact via a guided process triggered by my buttons/scripts, so as to avoid corrupting/losing information on the sheet due to carelessness.
At first I thought that I could just protect the sheet ranges that I didn't want damaged and be able to give access via the scripts, but that sadly is not the case.
Ultimately the question is, how can I use scripts to access a protected range with permissions as a viewer only.
you dont want to do it that way.
easiests is to deploy as webapp running as you. they use the webapp instead of pressing buttons or menu items.
to still use buttons/menus/sidebars it is possible but with more steps. you would need to publish a contentService as webapp (anonymous) and use urlFetch into the service to make thoae changes. not secure because curious users could find that service url in code and use it for bad purposes without traceability.