Apps Script Execution Permissions for Google Sheets - google-apps-script

How can I allow users with permissions of "View Only" the ability to execute an apps script in a spreadsheet?
I've created a custom menu choice triggered by onOpen() that launches the script fine for anyone with edit permissions. However, onOpen() does not run for anyone with only view/comment permissions (consistent with the documentation) and thus the menu is not created and there is no way to launch the script.
Ideally, I would like view only users to view and execute the script, but not modify it.

If executing the script results in modifying any content of the sheet then I think it's reasonable to expect only those users with edit rights will be able to run the script. In view of this I am not sure I understand the question at all.

Ideally, I would like view only users to view and execute the script, but not modify it.
Simple triggers and installable triggers that are able to use SpreadsheetApp.getUi like onOpen and onEdit are executed only for users with edit permissions.
Instead of using a custom menu you could add a link to script published as web app allowed to be accessed by anyone and run. The link could be added to a cell or to an image.
Related
Threads with answers with score > 0
Google App Script - allowing access for anonymous users
Threads with one answer with 0 score
Extend Google Spreadsheets UI with a Google Web App
Google Spreadsheet - Custom menu won't load because onOpen won't fire

I just spend a few days on this and don't believe you can! In order to let an anonymous user execute a web app google app script, you have to set it to "Anyone on the internet with this link can edit" in the app script sharing options. Plus you have to make the sheets the script touches editable by anyone. Plus you have to deploy it as executed by you and everyone has access.
No sir, I don't like it. The app script should be executable without being editable. Google's choice makes no sense, especially considering how difficult they've made it to share content with anonymous users. You'd think they would allow an execute privilege without a modify privilege. (Are opinions allowed in answers?)

Related

How can I "publish" an editor add-on to be used by just me?

I'm involved in a standards development group where the meeting invitations are sent out, not as calendar invites, but as Word docs. I've written a script that allows me to take the Word doc uploaded to Google Drive, and run the script to create an entry on a Google calendar that I maintain.
At the moment, the script is unpublished, and to run it on the docs I use the "Test as Add-On" function from the script editor. That's a bit cumbersome because I have to go through the selection dialog to select the doc I want to run it on. Additionally, in the new scripts editor, it won't be possible to delete old tests and so my test dialog will end up getting filled up with every run of the script I've ever carried out.
It would be much better if I could have the script available to me, and me only, from the Extensions->Add-Ons menu when I open a doc. The script is not suitable for general publication: it works only on docs with the exact format of these meeting notices, so it should only be run by someone who knows what they're doing, and it accesses a calendar that I own, so I don't want to make it public. But I would like to be able to put it into some kind of "deployed" state so that, as I say, when I open any doc when I'm logged in as me, the script is just available directly from the Add-Ons menu.
Is there any way to achieve this? Or is there an alternative approach possible to this general problem, of having a script that you want to run on multiple documents that you own without having to formally publish it?
One option to "test as add-on" without publishing the script as an editor add-on, is to use installable triggers instead of simple triggers. This triggers should be created by using code in order to avoid having to add any code to each spreadsheet.
If you are determined to take the publishing path you can set your add-on listing to be "unlisted", this means that the add-on will not appear on the Google Workspace Marketplace, people will need to know the installation URL to be able to install the add-on.
Other options:
If you have a Google Workspace account you could publish the add-on privately for your domain. If you don't have this account type or if this is "not good enough", you might make your Google Apps Script add-on publicly installable but limit its core features to be used only by you by making use of a dynamic custom menu. For details please checkout Editor add-on authorization
The dynamic custom menu might based on a setting depending on the user email address. To make this work, as the Session.getActiveUser() requires authorization to run, it can't be executed by simple triggers, but you might implement a workflow to save it or a flag, i.e. add an option to the custom menu to initialize the editor add-on.
Another option is to make the dynamic custom menu based on the spreadsheet structure and/or content.
References
Installable Triggers
Enable and configure the Google Workspace Marketplace SDK
Related
Google Apps Script: Dynamically creating spreadsheet menu items
Publish an add-on privately

Can an apps script macro in a Google sheet be used by other users?

I have a fairly simple requirement for a Google sheets apps macro script - it basically pulls the values from a couple of cells in another sheet and displays them in an alert box.
I've done the macro for this and it works fine. What I now want is for anyone I've shared the sheet with to be able to run the same macro. This is where things have suddenly got a bit more involved! My questions are:
Is this possible? And if so, what's the best way of achieveing it? At the moment, the macro is not available for the test user I've shared the sheet with. I've had a bit of a look around and it seems like publishing the script as a web app may be the way to go - can anyone confirm if that is correct? Or would there be a better option? I don't know anything about web apps so just want to confirm if this is the best option before trying to wrap my head around it all.
If the sheet in question has been shared with a user, but the second sheet which the script pulls data from has not, is it still possible for the user to run the script and retrieve the data? Or would the second sheet need to be shared with that same user as well? (If it would then it kinda defeats the object of what I'm trying to achieve).
Finally, would the user with whom the sheet is shared have to have a Google account in order to do this? I'm assuming so...which is a bit of a pain, but I guess understandable.
Thanks very much
Wokaround
Following the requirements you have described I get that you want your users to trigger an Apps Script function that will alter or get data from your Spreadsheet while only granting your users viewer-only acccess.
As described here only users with editor level access can run functions on your bounded script or activate it when clicking a button in your Spreadsheet.
To overcome this you can create a simple web app with a button that will trigger your function. Users will have to access this web app to trigger the function. The good point is that they will not have editor level access to the Spreadsheet nor to the actual script of the web app (as they will just interact with its user interface).
The web app would be a different script that can interface any of your Spreadsheets editing them or getting any information from them.

Are Google scripts attached to a readonly spreadsheet visible to the user?

I'm working in a Google Script that runs on a a Google Spreadsheet and creates an onEdit() trigger on it.
I would like to know if this script is somehow visible (through Google's interface or any kind of source code inspection) to the users that access the table with readonly permissions.
From my understanding users would not be able to access such a script, since they are suppose to run on Google's server side and not on the client browser. I couldn't find anything about that on App Scripts documentation.
Regarding the use of a web browser developers tools (like right click and selecting Inspect) over a spreadsheet they will not the script code if you do right clic over an spreadsheet but it might show the name of functions called by a custom menu or image with an assigned function, not the code of the onEdit function.
User with view access can't view the code but, if you didn't disable disabled make a copy, they see the code if they made a copy of the spreadsheet.
An alternative to limit users to make a copy of the spreadsheet is to publish your script as an add-on.
Related
How to protect the Apps Script code in a Google spreadsheet?

create Google Sheet database accessed by different users

I've built a spreadsheet as a form by google script with one button which updates a database(a different sheet) according to the form - btn_pressed().
I want to authorize any google account I give access to - to use the form (activate the google script code), and update the database and send mail (part of the btn_pressed() process).
should I publish the script as a web app? or there's another way to do what I'm looking for
I understand that you want to automatically authorise the script for other users when they come to run the script?
I recently learnt you can only do this with certain triggers such as onOpen() out onEdit(), there is a way round this though. Please see the following link as i asked the question on here myself!
Remove authorisation required for script on Google sheets
I trust that helps

Authorization on spreadsheet script for own use

I have a system (I'm the only user of this system, and that's not expected to change, ever) in which spreadsheets are copied from a template file. This template has a script, which populates a few menus to perform some operations. So each new copy of the template spreadsheet has its own copy of the script. The problem with this is that every time a new spreadsheet is used, the user (me) has to authorize the execution of the script. This didn't use to be that bad, but the authorization process has recently become way more annoying (see for example https://developers.google.com/apps-script/images/unverified-app-ui.gif). Given that I'm the only user of these spreadsheets, I think this process is unnecessary and wish to get around it.
I have tried to get around this by extracting the code into a standalone script file and publishing as an add on (https://developers.google.com/apps-script/quickstart/docs) but actually publishing it requires me to pay 5 dollars, and I think this is ridiculous given that I am the only user.
Any other ideas?
Thanks in advance.
AFAIK, that's the intended behavior. Check guide to the authorization lifecycle for add-ons.
Add-on automatically runs its onOpen(e) function to add menu items when a document opens — but to protect users' data, Apps Script restricts what the onOpen(e) function can do.
Note that only published add-ons can be in AuthMode.NONE.
The concept of authorization modes applies to all Apps Script executions.