Google Apps Script publishing questions - google-apps-script

I have a few questions relating to publishing an add-on for Google Sheets.
I have a script right now set up with an on load trigger to run the script. Is it possible to have my script run the same way if it's published as an add-on? If not, I guess I can probably have the user click some sort of menu option to run it (which calls a specific function in my script)?
If I publish the script, can users see the code? The problem I have right now is that the script I'm using connects to an API that uses an API key to limit user requests. The key is meant to be private, and for now it's fine that I just have it in the code since I'm only using it privately. I don't have a way to hide the API key from the users if the code is public though, so it would really be a problem if it was public.

If you publish the Google Script as a web app or as an add-on, others cannot see the source code of the script.

"I have a script right now set up with an on load trigger to run the script."
If this means that you are trying to do anything apart from create a custom menu in the onOpen() it could fail as it may not have the authorisation to run; you are limited to what you can do in onOpen() in an add-on. Take a look at the add-on authorisation cycle.
The user can't see your add-on code. However if you were planning to open source your code at any point you can store private things like API keys using the Properties Service that can be manually set in the script editor (File>Project Properties>Script Properties) or by running a bit of code that you then delete.

Answer to question 1:
Yes, you can use the onOpen(e) simple trigger as outlined in the documentation.
(https://developers.google.com/apps-script/guides/triggers/
Answer to question 2:
As Amit Agarwal mentioned in their answer, the code for a published add-on will be private. Users will not be able to see your API key.

Related

How can I "publish" an editor add-on to be used by just me?

I'm involved in a standards development group where the meeting invitations are sent out, not as calendar invites, but as Word docs. I've written a script that allows me to take the Word doc uploaded to Google Drive, and run the script to create an entry on a Google calendar that I maintain.
At the moment, the script is unpublished, and to run it on the docs I use the "Test as Add-On" function from the script editor. That's a bit cumbersome because I have to go through the selection dialog to select the doc I want to run it on. Additionally, in the new scripts editor, it won't be possible to delete old tests and so my test dialog will end up getting filled up with every run of the script I've ever carried out.
It would be much better if I could have the script available to me, and me only, from the Extensions->Add-Ons menu when I open a doc. The script is not suitable for general publication: it works only on docs with the exact format of these meeting notices, so it should only be run by someone who knows what they're doing, and it accesses a calendar that I own, so I don't want to make it public. But I would like to be able to put it into some kind of "deployed" state so that, as I say, when I open any doc when I'm logged in as me, the script is just available directly from the Add-Ons menu.
Is there any way to achieve this? Or is there an alternative approach possible to this general problem, of having a script that you want to run on multiple documents that you own without having to formally publish it?
One option to "test as add-on" without publishing the script as an editor add-on, is to use installable triggers instead of simple triggers. This triggers should be created by using code in order to avoid having to add any code to each spreadsheet.
If you are determined to take the publishing path you can set your add-on listing to be "unlisted", this means that the add-on will not appear on the Google Workspace Marketplace, people will need to know the installation URL to be able to install the add-on.
Other options:
If you have a Google Workspace account you could publish the add-on privately for your domain. If you don't have this account type or if this is "not good enough", you might make your Google Apps Script add-on publicly installable but limit its core features to be used only by you by making use of a dynamic custom menu. For details please checkout Editor add-on authorization
The dynamic custom menu might based on a setting depending on the user email address. To make this work, as the Session.getActiveUser() requires authorization to run, it can't be executed by simple triggers, but you might implement a workflow to save it or a flag, i.e. add an option to the custom menu to initialize the editor add-on.
Another option is to make the dynamic custom menu based on the spreadsheet structure and/or content.
References
Installable Triggers
Enable and configure the Google Workspace Marketplace SDK
Related
Google Apps Script: Dynamically creating spreadsheet menu items
Publish an add-on privately

Publish as a private add-on to avoid granting permission on copies of gsheets

I have a similar question to both of the questions below. I have a script bound to a google sheets, and I use this sheet as template. However I'm looking for an option to not have to grant permission each time I copy the file.
From reading the answers in the questions below, I understand I have to publish a standalone script as an add-on.
However, reading this answer, I see that I need to create a Cloud Platform Dashboard and all bunch of stuff which looks pretty messy to me, such as google reviewing process. Again, it is only for personal use...
Is there a way I can privately publish it as an add-on, without having to go through all the process?
Thank you
What is the best way to create Container-bound Scripts that can be cloned?
Grant permissions on open for first time for a bound script in Google Sheets
If you don't want spreadsheet hook triggers like onEdit or button or anything else, You can use a standalone script.
A standalone script can be written, which loops through your spreadsheets doing what's needed based on a time trigger.
Adding to the already existing answer
Publishing a private add-on does not require going through the Google Review process, especially since it is for personal use only.
Therefore, the situations below do not require verification:
If you want to deploy the add-on solely for internal use which means that the add on will be used only by people in your Google Workspace or Cloud Identity organization.
If you want to use the add-on domain wide which means that the add on will be used only by Google Workspace enterprise users within the domain.
For the whole list of exceptions from the verification process, you can check this here.
Reference
OAuth API verification FAQs.

Enable Google Sheet Protection via Google Script

I have been searching for a solution to a Sheet Protection issue, I have a Sheet that includes automated scripts to write data into the Sheet below from some fields at the top. I want the user to be able to provide the data in the fields at the top and then to run a script that adds the data below. The script to add the data works fine for the owner of the sheet if Protection is enabled, but fails for any user that has Edit rights as the Protection cannot be cleared by script for the data to be written to the bottom of the sheet.
https://developers.googleblog.com/2015/02/control-protected-ranges-and-sheets-in.html
I found this code from a Google blog post a few years ago and have tried variations without success....is this type of approach just not possible with Google Sheets and Google Script ?
Unfortunately, that is not currently possible to run a bound script as the owner without using a workaround. Scripts can only be run as the owner when they use Triggers or when you make a standalone Script Web App. You can see this for more information.
This should bypass fooling around with scripting protection ranges!
The Workaround!
There is a way you can get around this by creating a web app so that your bound script talks to the web app which runs on the spreadsheet. See this answer for more information.
So the process looks like this: User clicks a button that runs a function on a bound script. This function makes a web call to a web app that can run a function as the person who created the script.
I would also recommend you pay attention to a comment by Augustine C:
...you may also find it helpful to have a shared secret key saved in your spreadsheet and then verify it using the backend webapp script, or to perhaps verify that the recipient of the email is, in fact, also an editor of your Google Sheet.

Authorization on spreadsheet script for own use

I have a system (I'm the only user of this system, and that's not expected to change, ever) in which spreadsheets are copied from a template file. This template has a script, which populates a few menus to perform some operations. So each new copy of the template spreadsheet has its own copy of the script. The problem with this is that every time a new spreadsheet is used, the user (me) has to authorize the execution of the script. This didn't use to be that bad, but the authorization process has recently become way more annoying (see for example https://developers.google.com/apps-script/images/unverified-app-ui.gif). Given that I'm the only user of these spreadsheets, I think this process is unnecessary and wish to get around it.
I have tried to get around this by extracting the code into a standalone script file and publishing as an add on (https://developers.google.com/apps-script/quickstart/docs) but actually publishing it requires me to pay 5 dollars, and I think this is ridiculous given that I am the only user.
Any other ideas?
Thanks in advance.
AFAIK, that's the intended behavior. Check guide to the authorization lifecycle for add-ons.
Add-on automatically runs its onOpen(e) function to add menu items when a document opens — but to protect users' data, Apps Script restricts what the onOpen(e) function can do.
Note that only published add-ons can be in AuthMode.NONE.
The concept of authorization modes applies to all Apps Script executions.

Apps Script Execution Permissions for Google Sheets

How can I allow users with permissions of "View Only" the ability to execute an apps script in a spreadsheet?
I've created a custom menu choice triggered by onOpen() that launches the script fine for anyone with edit permissions. However, onOpen() does not run for anyone with only view/comment permissions (consistent with the documentation) and thus the menu is not created and there is no way to launch the script.
Ideally, I would like view only users to view and execute the script, but not modify it.
If executing the script results in modifying any content of the sheet then I think it's reasonable to expect only those users with edit rights will be able to run the script. In view of this I am not sure I understand the question at all.
Ideally, I would like view only users to view and execute the script, but not modify it.
Simple triggers and installable triggers that are able to use SpreadsheetApp.getUi like onOpen and onEdit are executed only for users with edit permissions.
Instead of using a custom menu you could add a link to script published as web app allowed to be accessed by anyone and run. The link could be added to a cell or to an image.
Related
Threads with answers with score > 0
Google App Script - allowing access for anonymous users
Threads with one answer with 0 score
Extend Google Spreadsheets UI with a Google Web App
Google Spreadsheet - Custom menu won't load because onOpen won't fire
I just spend a few days on this and don't believe you can! In order to let an anonymous user execute a web app google app script, you have to set it to "Anyone on the internet with this link can edit" in the app script sharing options. Plus you have to make the sheets the script touches editable by anyone. Plus you have to deploy it as executed by you and everyone has access.
No sir, I don't like it. The app script should be executable without being editable. Google's choice makes no sense, especially considering how difficult they've made it to share content with anonymous users. You'd think they would allow an execute privilege without a modify privilege. (Are opinions allowed in answers?)