I have a spreadsheet that is editable by everyone with a protected sheet with some ranges unprotected.
I want cells that can be altered by a script run by any user (from a menu), but not manually.
When I run the script not as the owner it gives an error message when I try to temporarily remove the protection.
There seems to be no easy way to do this, because functions run from the menu is always executed as "user at the keyboard".
One workaround is to publish a Web App to always "Execute as" Owner. This web app will then write to protected ranges on doPost(). The function linked to Menu UI will then use UrlFetch to POST to the published Web App. You can also use some basic authentication with a password/randomly generated numbers to reject requests from outside your script.
Also, If you don't trust editors not to mess with your bound script, It's better to publish it as a private add-on, where the source code is not easily accessible.
Related
I have a complex spreadsheet where most of the sheet is locked and the user can only edit a handful of cells which triggers a bunch of calculations. This used to work fine but the problem now is I have added a drawing which I attached a script to so it acts as a button. Doing this forces the user to have to authorize and now the scripts run as that user so when the script tries to update cells that are locked to the user it fails.
How can I make it so a user can't type into cells, but my scripts can still update them. Basically I want the script to have full access to the sheet, not restricted by user permissions.
Workaround#1 -Service account:
Create a service account
Share your spreadsheet with edit permissions to the service account's email
Install and Use the Google oauth2 library to get Bearer token with necessary scopes(Drive/Sheets/Both). This token can be used to impersonate the service account.
Using the bearer token above, You can directly access the
google-sheets-api using urlfetch
OR use a published webapp(set to execute as "User accessing the app" and "Anyone") to use inbuilt services such as SpreadsheetApp. See Second related answer linked below.
In this case, PRIVATE_KEY of the service account acts as a password to access the spreadsheet with edit privileges. So, exposing it directly in the script editor will give access to any of the editors to access protected areas of the spreadsheet and all service account resources. So, in a way, protected areas are not protected in a absolute way. If protected areas need to be absolutely protected, You may be able to bypass this limitation
using two script projects: a bound one posting data to a unbound one, which is published as a web app and holds the private key. Here, editors can be supplied with passwords to access the unbound script.
Another way is to simply publish a addon, as a addon's source code is never visible to end users.
Workaround#2 - Installable triggers:
Use a installable edit trigger with a checkbox. Users click a checkbox in the unprotected area and script modifies the protected area.
Installable triggers run under the authority of the user who installed it and not as the current user.
They can bypass permission restrictions of the sheet. But this is a double edged sword. Anyone with edit permission will be able to trigger the script. Not only that, they may also be able to access the script editor and modify the script as they see fit. To limit foul usage,
Set the script to run only at a specified version: This can be done by setting the edit trigger manually in Tools > Script editor> Edit > Current project triggers > Add trigger > Select version. Script must have a saved version and be deployed as a webapp(doesn't need to be working).
Avoid providing unnecessary scopes to the script. Limit oauthScopes by editing manifest file. Preferably the only scope provided should be https://www.googleapis.com/auth/spreadsheets.currentonly
Related:
Is there a way to let a user edit another spreadsheet with a script and hide it from him at the same time?
Google App Script execute function when a user selects a cell in a range
I have been searching for a solution to a Sheet Protection issue, I have a Sheet that includes automated scripts to write data into the Sheet below from some fields at the top. I want the user to be able to provide the data in the fields at the top and then to run a script that adds the data below. The script to add the data works fine for the owner of the sheet if Protection is enabled, but fails for any user that has Edit rights as the Protection cannot be cleared by script for the data to be written to the bottom of the sheet.
https://developers.googleblog.com/2015/02/control-protected-ranges-and-sheets-in.html
I found this code from a Google blog post a few years ago and have tried variations without success....is this type of approach just not possible with Google Sheets and Google Script ?
Unfortunately, that is not currently possible to run a bound script as the owner without using a workaround. Scripts can only be run as the owner when they use Triggers or when you make a standalone Script Web App. You can see this for more information.
This should bypass fooling around with scripting protection ranges!
The Workaround!
There is a way you can get around this by creating a web app so that your bound script talks to the web app which runs on the spreadsheet. See this answer for more information.
So the process looks like this: User clicks a button that runs a function on a bound script. This function makes a web call to a web app that can run a function as the person who created the script.
I would also recommend you pay attention to a comment by Augustine C:
...you may also find it helpful to have a shared secret key saved in your spreadsheet and then verify it using the backend webapp script, or to perhaps verify that the recipient of the email is, in fact, also an editor of your Google Sheet.
I'm coding a script for a spreadsheet. This script creates a menu.
Then by choosing an option in this menu a function (which uses API) will run in order to filter some columns and hide others.
The problem is:
This sheet is protected (because shared with coworkers) but I want to allow people to run the script, which is impossible without the permission.
I already looked at different solutions:
Using a trigger: Doesn't work because a trigger can't correctly call a function which uses API (yes, my functions use API).
Web App: When the script is run from the spreadsheet, the script is run as the current user, not the script editor. (the web app is efficient if the user uses the HTML page.)
Remove protection -> run the function -> Re-add protection: Can't modify the protection without permission, which is logical.
Add the current user in the list editor -> run the function -> Remove the current user from the list editor: Can't modify the editor list without permission, which is logical.
How can I solve this problem?
This is a pain that I have not seen a good workaround. Google should know that in a collaborative environment that the owner would create script and want users to be able to run those scripts while at the same time not messing with formulas or cells that you desire to protect. The only way I have found to solve this on the sheet itself is to Unprotect and then Protect the cell or range you are making modifications to during the script run. Do be mindful that if the script fails in the middle (after you have unprotected it) the cell remain unprotected. Might want to run within a "try" script.
Are you the spreadsheet owner?
If no, you are not authorized to bound an apps script on it.
But you can make a copy of the spreadsheet by duplicate it and save in your drive.
If the spreadsheet is created by you yourself, maybe you created it by another username. If it does, log in by that user and change the sharing option to allow the specific user can edit it.
I have a system (I'm the only user of this system, and that's not expected to change, ever) in which spreadsheets are copied from a template file. This template has a script, which populates a few menus to perform some operations. So each new copy of the template spreadsheet has its own copy of the script. The problem with this is that every time a new spreadsheet is used, the user (me) has to authorize the execution of the script. This didn't use to be that bad, but the authorization process has recently become way more annoying (see for example https://developers.google.com/apps-script/images/unverified-app-ui.gif). Given that I'm the only user of these spreadsheets, I think this process is unnecessary and wish to get around it.
I have tried to get around this by extracting the code into a standalone script file and publishing as an add on (https://developers.google.com/apps-script/quickstart/docs) but actually publishing it requires me to pay 5 dollars, and I think this is ridiculous given that I am the only user.
Any other ideas?
Thanks in advance.
AFAIK, that's the intended behavior. Check guide to the authorization lifecycle for add-ons.
Add-on automatically runs its onOpen(e) function to add menu items when a document opens — but to protect users' data, Apps Script restricts what the onOpen(e) function can do.
Note that only published add-ons can be in AuthMode.NONE.
The concept of authorization modes applies to all Apps Script executions.
I've created a spreadsheet with some GAS behind it that opens a form with some inputs, and now I need to deploy the webapp and share it to some other users. The problem is that when the other users try to open the spreadsheet (shared in Google Drive), they get this error message:
I've already tried to:
Share the spreadsheet to the user/s (Adding the user/s email address with permission Can edit)
Deploy the webapp settings with the following settings:
As you can see, the setting screen reports "You need to authorize the script before distributing the URL".
How can I authorize the script? I can't find a way to do that. Do you know if there's another way to share and let other users run the script?
Since you selected to execute the app as you, you need to authorize this script first.
Just select method doGet and press run in the editor, you will get the chance to authorize.
The problem is you are mixing web app with ui dialog on a sheet.
The webapp is accesed from the webapp url (given when you publish the webapp).
The ui dialog is a window shown on top of the spreadsheet.
You want to use webapp, follow the tutorial for that. Publish it to be accesed from the domain if all users are in the same gapps domain. Else use public anonymous.
Run doGet before publish to authorize. Its also possible to do the other ui-on-sheet but you need more steps for each user to authorize.
You need to manually verify that your script has access to the document.
Add a function to your script that accesses the document:
function doInstall() {
var mysheet = SpreadsheetApp.openById('x4535khxxhidh...');
}
In script-editor select: Run->doInstall (Or what ever you call your function) when you should be asked to verify that the script is authorized to access the document.
The following worked for me:
Go to «Publish»
Click on «Deploy as web app»
Click on «Disable web app» (in case you have published it already)
Execute the Script clicking on «Run»
Authorize the Script and grant permissions with your account
Again, go to «Publish» and click on «Deploy as web app»
Add another «Project version» (in case you have published it already)
Change «Who has access to the app:» to «Anyone, even anonymous» as needed