What are the consistency guarantees of the Google Drive API? - google-drive-api

I've written a test suite for my google drive api library and am witnessing some non-deterministic behavior. In the simplest case, I can insert a permission on a file, then immediately get a list of permissions on the file and I don't see the newly inserted permission.
I'm chalking this up to eventual consistency being eventual, but it would be nice to know if this is actually the case; the documentation makes no mention of consistency delays.

I can't see this documented anywhere but there is a simple experiment you can do.
Adding and removing permissions is an asynchronous and queued task in my opinion and eventual consistency is my observation too. You can confirm this with a GSuite for Business account by conducting a test as follows:
In the Drive UI, upload a folder tree structure with a root folder, 3 or 4 levels of sub-folders and 300 to 500 files. You may get away with fewer but this is how many I used.
In the Drive UI, share the root of those folders with another user on your domain.
In Admin Console > Reports > Audit > Drive, add Filters as follows:
Event name: User Sharing Permissions Change
User name: the email of the user you added in step 2.
Owner: your email
Date and time range:
From: add yesterday's date
To: add today's date and 23:59 as time
Press search. You should see hundreds of events - one for every file and folder you added in step 1. Each event shows the exact time stamp of the permission being added.
As you should see, the permissions are not added instantly. It can take many minutes/hours depending on the numbers involved and (I assume) indeterminate work going on in the Google cloud.

It is indeed. If you think about Google's infrastructure, it's all about read performance and data integrity through massive distribution. The inevitable consequence of that is that write performance is relatively poor and asynchronous.

Related

Different roles for folders and files in Google Drive (GSuite)

I have a GSuite with user groups, every group is one department in the organisation. I got the following permissions now:
Every department can edit his own folder
Every department can view folders of the other departments
Only I want that every department who can view something, also can comment on GDoc files and Spreadsheet files. I know I can change this on every file indiviually, but our Drive has over 1000 GDoc files. I'm not going by every old (and new) file to change this permission everytime.
I tried to solve this with a script and tried
file.addCommenter(email); -> Invalid argument: permission.value
file.setSharing(DriveApp.Access.PRIVATE, DriveApp.Permission.COMMENT) -> No error, but also no result.
Does someone know a solution for this?
file.addCommenter(email); -> Invalid argument: permission.value
That's a tricky one. There is an open issue #4231 since July 2014 (!) about this. I have not personally encountered this, but apparently it is an issue, though may be a rare one. Is it a specific file type that this fails on? I have just tested file.addCommenter(email) on all Google file types, and it worked without an issue for me.
Is the account your script is executing under the OWNER of these files, or only has 'EDIT' access to them? Has the option 'Prevent editors from changing access and adding new people' been enabled for these files? These are some things I would start checking to pinpoint the cause of the issue.
If all else fails, I suggest you contact Google Support rep with this - there should be a link for this in your GSuite Admin Control Panel.
file.setSharing(DriveApp.Access.PRIVATE, DriveApp.Permission.COMMENT)
-> No error, but also no result.
I do not think this will do what you expect it to. setSharing() method sets the sharing properties of the file besides any individual users who have been explicitly given access. Basically, setSharing() method will not change the sharing access of users who have already been explicitly granted some level of access to the file.
The way you could potentially use it, is to grant COMMENT access to the file to any user in your domain using file.setSharing(DriveApp.Access.DOMAIN_WITH_LINK, DriveApp.Permission.COMMENT), provided you are GSuite for Business or EDU user.
Hope this helps!

Google Drive API - Compound Permissions on Files

Is it possible to have compound permissions on files? For example, I'd like User A to have writer access until a set date, then after that date they can only comment (or view) the file. Right now as I'm testing on my personal files, the API explorer doesn't show all the permissions I have set.
Directly though the API you can set the roll and type of access each user has your application would have to remove it after said date.
You could try reading the documentation: Permissions: create
Have a look on the expirationTime field in the permission resource
https://developers.google.com/drive/v3/reference/permissions
You can create a permission, that will expire at the defined moment.
So for your task, you can create two permissions one for reading and commenting without expiration time, and another for writing with expiration time.

Are there any hooks for user modification events in google apps?

Currently the bane of my existence is dealing with users email signatures at work, changing names, titles, departments, new users...it's all annoying. Currently I manage it with GAM and a semi templated HTML file to push changes, which works okay, but it's still a manual process. What I'm looking to do is create a small app script or app engine project that can...
detect a new or changed user
pull the fields needed to fill in their signature template
push the changes to their account
2 & 3 are no problem at all, it's #1 that I cannot find a reasonable solution to.
I had thought about using the google apps audit settings to email a specific mailbox when a new user is created, but that will only catch new users, not changes in titles and such. My only apparent option is something that runs periodically checking all the users signatures against what my script would generate and updating if needed, but that's hardly efficient and creates a potential timelapse in the waiting period meaning when people want things 'done now' (which is of course, every request), it will mean I manually trigger the job; effectively bringing me back to my original solution.
Is there any kind of user feed that contains changes available in google apps? Maybe google has a POST hook that hits a predefined URL on changes?
You can probably use push notifications for this https://developers.google.com/drive/web/push using the users.watch method https://developers.google.com/admin-sdk/directory/v1/reference/users/watch

Access Google Drive API without creating WebApp?

First I apologize if I'm a dolt and am missing something obvious, but I've spent a few hours scouring documentation and am lost.
I'm trying to write a python script that will upload a bunch of images to a single user's Google Drive. The user already exists and will never change. I am not writing a web app and don't plan to use any user interface whatsoever. Everything will be done through code.
As best I can understand from the Google documentation, I have two choices:
1) Write a web app and register it to use the Drive DSK. This of course requires having urls and such for the web app.
2) Create a service account, which ties my "app" to a new service account email.
Neither of these options works for me. Is there any way to simply log in to a single user account and access their drive through python scripting?
There is a deprecated API called ClientLogin that would enable you to use the username and password for a login to access that Drive data.
But the basic idea is that you should be using something more secure -- from your users' point of view -- that allows them to authorize you without giving you their password.
For your use case it is possible that the user is you or someone you know and that you are accessing their account through a more personal kind of authorization. In that case, ClientLogin may be your best choice. If this is an application designed to be used by arbitrary users, the deprecation of ClientLogin is for a good reason and I would urge you to bite the bullet and choose one of the supported options.
The correct solution is to separate the authorization phase from the access phase. The authorization process needs to be run one time only, and can be done from a simple web site. The result of this is a refresh token which is analogous to a username/password. You will need to be aware of the security implications. Make sure you only grant drive.file scope to minimise the impact of a security breach.
Since you are uploading images, you might also want to look at the picassa api.

Transfer ownership for ALL files in user's google drive - using google-api-java-client and the Drive SDK

We have a google corporate account and need to transfer ALL of a user's google drive files to another account in certain instances. We want to do what is described at the following link for "all files" but programatically via the latest Drive API http://support.google.com/a/bin/answer.py?hl=en&answer=1247799
We are currently using the following API version(s) below, coupled with domain wide authority delegation as described at https://developers.google.com/drive/delegation and are able to see a user's files, iterate over them etc.
google-api-services-drive 1.14.2-beta
google-api-client 1.14.1-beta
My question is this: it appears that the only way to change permissions is by fileId by fileId etc. Instead of having to traverse and iterate over an entire set of user's files, if we just want to transfer ALL of a user's files to another particular user: is there a way in the API to do this (ownership transfer for ALL files) rather than individual requests file/by file?
Also when transferring ownershisp, must the transferee be in the same #domain or can it be another #domain we manage? I read somewhere that you can only transfer to owners in the same domain. Does this still hold true? For instance we manage #myCompany.com and have our corporate account registered under that, however that shell account has several sub-domains within it. We would like to transfer files from users in the sub-domains to a central user in the #myCompany domain.
You need to change permissions file by file, there is no updateAll type of functionality at the moment.
You cant transfer the ownership to another domain's user. Ownership can only be transferred to another user in the same domain as the current owner.
This answer doesn't directly answer your question, but it could be helpful for both you and future visitors.
As of now, you can mass transfer files to new users with Google's new Admin console. It doesn't let you filter for specific folders, but it does allow you to transfer all of one user's Drive files to a second user.
I know you were trying to create something which uses the API to iterate through folders and files, and you probably have a very specific use-case in mind. However, in the case where you have employees leaving, or you need to transfer everything, using the following method is fast and simple.
Open the Google Admin console
Go to Google Apps > Drive
Click on "Transfer ownership"
Fill out both user fields and submit
This process will even email both users once the process is completed.
You can do this with a single call to the Data Transfer API
Exactly what is needed but only with API!
Open the Google Admin console
Go to Google Apps > Drive
Click on "Transfer ownership"
Fill out both user fields and submit
This process will even email both users once the process is completed.
If this is not possible via API calls, then there is no point deleting a user using API.