Determine Script Authorization Requirements - google-apps-script

I have a script associated with a spreadsheet which requests Authorization. When granted and I look at the Permissions associated with my account the script has the following:
Has some account access, including Google Docs
Google Docs
View and manage your documents in Google Drive
View and manage your spreadsheets in Google Drive
Additional access
View and manage your forms in Google Drive
I am surprised it is going to this level as all the function calls I am seeing are either getting an active item or getting the sheet by name (not the file, a tab inside the file). Outside of an HTML service form, there is nothing I see which should call a Google Form item. Nor do I see anything about a Doc. Just Spreadsheet items.
Is there any way to determine where the various authorized access items are IN the code without trial and error?

Related

Authorization scopes for spreadsheets

I have created a standalone Google Apps Script (it does not belong to any document). The script get triggered automatically at some fixed intervals. This script
creates a couple of folder (if they don't exist)
creates a Google spreadsheet (if it doesn exist). Read said
spreadsheet.
update calendar events
I noticed that when I first run it, it asked for permissions to read, delete all Google Drive items, all spreadsheets and all calendar events
I work on tailoring the scopes required and at least Google Drive does not have those broad permissions. I am still unable to reduce the scope for Google spreadsheet (And also calendar).
An expert #TheMaster made a post some years but is not exactly the same case.
I tried changing the scopes but the editor complained and requested that to use openById I need to change the scopes back
Ok, I ended up changing how my solution was structured.
Before Script lived outside the spreadsheet
Now script lives inside the spreadsheet. I am now know doing scopes directly on the manifest and using onlycurrentdoc.
From https://developers.google.com/apps-script/guides/services/authorization#manual_authorization_scopes_for_sheets_docs_slides_and_forms
Manual authorization scopes for Sheets, Docs, Slides, and Forms
If you're building an add-on or other script that uses the Spreadsheet service, Document service, Slides service, or Forms service, you can force the authorization dialog to ask only for access to files in which the add-on or script is used, rather than all of a user's spreadsheets, documents, or forms. To do so, include the following JsDoc annotation in a file-level comment:
/**
* #OnlyCurrentDoc
*/
Besides the above, look at each method reference documentation at the https://developers.google.com/apps-script/reference. At the bottom of the corresponding section you will find a list of the scopes that might be u sed for each method. Some methods have more than one scope, choose the one that better fits what you need.
Related
How to narrow scopes for Google Apps Script to specific files
References
https://developers.google.com/apps-script/guides/services/authorization
https://developers.google.com/identity/protocols/oauth2/scopes

Unable to open Google xlsx spreadsheet / Also Google Drive permission Blocked

I have a Google Apps Script that I am currently using to successfully open a Google Sheets spreadsheet (read-only shared with my account) and perform some reading functions.
I received another spreadsheet that I would like to run similar processes on.
If I try:
SpreadsheetApp.openById("_______") (which works on the other sheet), I get Exception: Service Spreadsheets failed while accessing document with id _____" with this sheet. This spreadsheet is actually an xlsx on Google Drive (but appears it can still open in Google sheets) rather than a native Google sheet so I figured maybe that was the issue...?
So now I'm trying to instead access it as a Google Drive file using DriveApp.getFileById("____"). However now I get an authorization request to allow my script to access Google Drive. When I authorize it, I get:
This app is blocked
This app tried to access sensitive info in your Google Account. To keep your account safe, Google blocked this access.
I haven't found a way to fix this. I'm on a private Google account, not using a company's Apps.
Any ideas?
Found a solution to the permission issue.
To work with Apps Script, I've modified this from #alper's solution which sources #tellowkrinkle's comment.
Do the following:
Go to https://console.developers.google.com and create a new project for yourself
Search for the Google Drive API in the search box at the top, and turn it on
Click OAuth consent screen on the left and set it up.
Assuming your account isn't part of an organization, you'll have to say your app is for external users and in testing
In the required scopes section, add .../auth/docs and .../auth/drive (I'm not sure which needed, it's probably only one of those). This will probably not be available if you didn't complete (2)
Add the accounts you want to use with your copy of gdrive as testers of your app. Only these accounts will be able to use your copy of gdrive, so everyone will have to compile their own (unless someone goes and gets theirs reviewed by Google). I only added my own account because I am the only one using my App Script which uses my Drive.
Click the 3 dots on the top right and select "Project settings". Make note of the "Project number".
Go to your Apps Script. Go to Resources > Cloud Platform project. Insert the project number from (4).
Next time you try to run your Apps Script, you'll be asked to Authorize but this time you'll have the chance to actually do it successfully.

Add-on not available on shareable link sheet

We have a Google Apps domain. The domain has a sheet with a Google Apps Script add-on. We have to share this sheet with people outside our organisation. The add-on is used to refresh the data displayed in the spreadsheet.
When someone who isn't logged in opens the shared link, the add-on is not available for them. Is there a way to get around this?
You will not be able to get around the restriction that requires the user to be logged in.
Your add-on modifies spreadsheet contents on behalf of the user.
That operation requires authorization from the user.
Only logged-in users can grant authorization.
Reference: Develop Add-ons for Google Sheets, Docs, and Forms - Authorization
A separate web service that ran as you, say, and was accessible to "Everyone, including anonymous", could modify a spreadsheet without requiring a user to be logged in. You could not make this part of the Sheets UI, though.

How to share a Google Spreadsheet that utilizes Google App Scripts within a company domain?

I have a seemingly simple problem that seems to get more complicated the more I get into it.
I have one spreadsheet document.
This spreadsheet utilizes a google apps script, that in turn utilizes various APIs: Domains, Sites, Spreadsheets...
To use this spreadsheet I have to take a few steps -
Authorize the spreadsheets. This dialog only comes up if I use the
script editor, otherwise the Spreadsheet fails silently.
Enable Domain API in Editor -> Resources -> Advanced Google Services
Enable Domain API in Google Developer Console to a seemingly hidden
project that is attached to my spreadsheet. The only way I can access this secret page is through the Advanced Google Services menu in step #2.
After getting through these hurdles, the spreadsheet now functions correctly without having to use the Script Editor.
Now I want to share this spreadsheet with other users in my company's domain.
Is there any easy way to do this, or will every single user I share it to have to jump through these hurdles as well?
Am I thinking about this wrong? The documentation states the script is 'attached' to the spreadsheet. But the more I get into it, the more separate these two things seem to be. I can share a spreadsheet - but the script won't function properly. I can publish a 'web app' with the script editor - but it won't come with the spreadsheet.
Any help appreciated
Frusteratingly yours...
Other users will have to have the same domain permissions as you do.
An approach you could take is have all the permissions related work done on a script that is published as a web app that will take url parameters (to trigger tasks), which is run as you and accessible to others.
From there, your original script can call the published url and send instructions via parameters.
https://developers.google.com/apps-script/guides/content

Collecting data from Google Apps users' spreadsheets programmatically

We have a number of Google Apps users, each of them has a non-public spreadsheet named 'XData' in their GDrive account. The Google Apps admin needs to be able to do the following:
Click one button that would collect specified data from users' spreadsheets and put it into a master spreadsheet on admin's account.
Click another button that would display the data from master spreadsheet to admin in a nice visual way.
What's the best way to implement such setup using Google tools (Fusion Tables and/or Admin SDK and/or Apps Script and/or Drive SDK and/or Spreadsheets API and/or etc)? The first step is optional if the second one can be accomplished without it.
1 and #2 can be done easily with apps script only if all the spreadsheets are shared with the script owner.
If they are not shared you can only do it with drive api and user delegation of permissions (see the drive api docs)