google spreadsheet script html service for all - html

I wrote a google spreadsheet script incl. html service. Now I like to publish the html service as a survey. Everbody shall see it without registration at google but it should be not allowed to see the results of all participants.
Have you an idea how can I reach this?
I tryed a lot of publish options but I didn't reach my goal. Do you?

Right now, your Apps Script Project is probably bound to the spreadsheet. If the users who are submitting the form, never need to see the spreadsheet, then create an Apps Script file that is not bound to anything, it's "Stand Alone". Then do NOT share the spreadsheet. If you share the spreadsheet, then people who the file is shared with can VIEW the spreadsheet. It is possible to hide and protect sheets and ranges. And of course you can make settings for some users to be able to VIEW the spreadsheet, and others to EDIT.
If you share the spreadsheet file, then everyone it's shared with has VIEW permissions. You can't share a spreadsheet file and not give VIEW permissions. But, if you want some users to be able to see just some sheets in the spreadsheet, and not all the sheets, then you would need to write some code that ran when the Spreadsheet opened, and that code would be hiding and unhiding sheets depending on who opened the spreadsheet. Only users with EDIT permission can unhide a hidden sheet. So, that's an option. You can hide a sheet from anyone. But a user with EDIT permission can unhide the sheet. If you want to hide a sheet from someone with only VIEW permission, (They can't unhide it) then have code run onOpen() that checks the user, checks their permissions and either hides or unhides the sheet.
If the people submitting the form, never need to view the spreadsheet file, then don't even share the spreadsheet URL with those users. Just use the Stand Alone HTML Service as your "front end", "User Interface" with the users who never need to view the spreadsheet.
So, if the people who are using the HTML don't need to ever view the spreadsheet, then don't give those people the URL to the spreadsheet. Give them the URL to the published app. In that scenario, the users of the published app will never see the spreadsheet. The published app is essentially a website, with no real domain name.
The solution for you, depends on how simple or complicated the sharing, editing and viewing settings need to be.

When opening the script file, you need to use the Publish >> Deploy as web app option.
Then, choose the version you want to deploy as webapp or create a new one, set the app to execute as you, and add access to anyone (even anonymous). Like this:
The important thing is that the function that's called when someone access the URL that's shown for your web app, is a function called doGet(). So you must rename the function you use to display the UI and Form to doGet(). This function should return a valid HTML Output (normally using the HTMLService or the deprecated UiApp service).
So this:
Gets you this:

Related

Start a script from Custom Menu, ask user questions, create new sheet without needing permissions?

I have a shared Google Sheet which is an Installation Schedule for a small company. Each sheet is a week. I've created script actions that do things like look for data changes, and if appropriate, hide and unhide rows. This works for everyone that the spreadsheet is shared with, with no prompting for permission.
The function to create a new weeks is executing by clicking on a entry in a Custom Menu. It then prompts the user for the date of the first week and the number of weeks to create. After some user entry error checking, it copies a hidden template sheet to a sheet named after the week's date range, updates a date entry cell, copies sheet protections and then unhides the newly copied sheet. This works for me as the sheet owner, however, it is creating authentication dialogs for any other user to which the sheet has been shared.
I could get around this by deploying this as a test app in the Google Cloud Platform interfaces, but then I would have to specifically share it with the users, which a) are not part of a Google Workspace and b) are likely to change, therefore requiring on-going maintenance.
Given that the script is modifying "my" sheets file, I don't understand why permission would be needed and am hopeful there is a way around this.
I have searched for and tried many possibilities, but none seem to solve the problem.
Anyone have any expertise? I am a competent coder, but relatively new to Google Apps, so please be as detailed as possible.
Functions called from Google Workspace editor custom menus executes under the active user. If the function use any method that requires authorization to run it will show the OAuth consent screen for your script.
Unfortunately there is no way to avoid this. Even making calls to APIs through UrlFechApp by passing the appropriate credentials, in this case to call the Google Sheets API, it will be required authorization of the active user for https://www.googleapis.com/auth/script.external_request.
The option to use the custom menu to open a dialog or sidebar to run client side code will also require the user to authorize the script.
Considering the above iF you really want to avoid to ask the user to authorize anything, forget about using custom menus. You might consider to use installable triggers, i.e. use edit / change installable triggers to call functions when edit is made like clicking a checkbox or selective a value from a data validation dropdown.
Related
https://developers.google.com/apps-script/guides/sheets

Can an apps script macro in a Google sheet be used by other users?

I have a fairly simple requirement for a Google sheets apps macro script - it basically pulls the values from a couple of cells in another sheet and displays them in an alert box.
I've done the macro for this and it works fine. What I now want is for anyone I've shared the sheet with to be able to run the same macro. This is where things have suddenly got a bit more involved! My questions are:
Is this possible? And if so, what's the best way of achieveing it? At the moment, the macro is not available for the test user I've shared the sheet with. I've had a bit of a look around and it seems like publishing the script as a web app may be the way to go - can anyone confirm if that is correct? Or would there be a better option? I don't know anything about web apps so just want to confirm if this is the best option before trying to wrap my head around it all.
If the sheet in question has been shared with a user, but the second sheet which the script pulls data from has not, is it still possible for the user to run the script and retrieve the data? Or would the second sheet need to be shared with that same user as well? (If it would then it kinda defeats the object of what I'm trying to achieve).
Finally, would the user with whom the sheet is shared have to have a Google account in order to do this? I'm assuming so...which is a bit of a pain, but I guess understandable.
Thanks very much
Wokaround
Following the requirements you have described I get that you want your users to trigger an Apps Script function that will alter or get data from your Spreadsheet while only granting your users viewer-only acccess.
As described here only users with editor level access can run functions on your bounded script or activate it when clicking a button in your Spreadsheet.
To overcome this you can create a simple web app with a button that will trigger your function. Users will have to access this web app to trigger the function. The good point is that they will not have editor level access to the Spreadsheet nor to the actual script of the web app (as they will just interact with its user interface).
The web app would be a different script that can interface any of your Spreadsheets editing them or getting any information from them.

Are Google scripts attached to a readonly spreadsheet visible to the user?

I'm working in a Google Script that runs on a a Google Spreadsheet and creates an onEdit() trigger on it.
I would like to know if this script is somehow visible (through Google's interface or any kind of source code inspection) to the users that access the table with readonly permissions.
From my understanding users would not be able to access such a script, since they are suppose to run on Google's server side and not on the client browser. I couldn't find anything about that on App Scripts documentation.
Regarding the use of a web browser developers tools (like right click and selecting Inspect) over a spreadsheet they will not the script code if you do right clic over an spreadsheet but it might show the name of functions called by a custom menu or image with an assigned function, not the code of the onEdit function.
User with view access can't view the code but, if you didn't disable disabled make a copy, they see the code if they made a copy of the spreadsheet.
An alternative to limit users to make a copy of the spreadsheet is to publish your script as an add-on.
Related
How to protect the Apps Script code in a Google spreadsheet?

Google Script and Anonymous user in Google Sheet

I've a public Google Sheet (everyone can access it and edit it). In it, I use a script, a function, that download a csv with the UrlFetchApp.fetch(url);.
When an anonymous user access it (without the google login), the user can view, and edit the sheet, but, the user cannot run the script. The user must be logged with a google account to the script do the working.
The stranger thing is that this sheet with this script was working for anonymous users early. This problem didn't occur before a couple weeks ago.
Do you know if the google change something about security or is it an error that I am doing?
In order to run apps script on a particular user's behalf, Google Workspace requires that user's permission, via an OAuth flow.
If a user is anonymous therefore, you can see why this permission cannot be granted, which is why the script won't work for those users.
I guess it is an intended behavior as long as the anonymous user access the sheet via shareable link. As stated in this support page, you might see a name you don’t recognize or "anonymous animals" viewing your document, spreadsheet, or presentation. This can happen when a document is shared publicly or with anyone who has the link.
Limit how people can view your file
If you want to stop sharing a file you can edit, you can learn how to:
Turn off link sharing for a file.
Prevent others from sharing files you own.
Hope this helps.

web app : sharing settings

I have an apps script, a web app (within google site, share option: "Who has access to the app:anyone within mydomain" when publishing it) who make a forms using code as :
var app = UiApp.createApplication();
var panel = app.createVerticalPanel();
.....
When user press submit button the data are saved in a spreadsheet.
I have to give full access to an user group on this spreadsheet in order to make the forms works.
the problem, is that i don't want user1 (belonging to the user group) see what user2(belonging to the user group) has save in this spreadsheet.
At the moment, i share the spreadsheet without notifications but users are style able to access the spreadsheet using "shared with me" button on the drive.
Question:
Is that possible to hide share (like $ share on windows)?
Is that possible to let the script special grant option to read/write the spreadsheet without sharing it with the user group on run time.
or how the actual google forms (the one provide by google drive, not mine) handle this problem ?
Google API is not activate in my domain, i have a google education license and i am the admin of this domain.
hope it's clear enough.^^
thanks for hwelp
If you use Google Forms, you do not need to share your spreadsheet at all. You can distribute the URL for the live form, and from there users can only enter form data. Forms are static, though - you can edit the questions easily, and create logical flows between pages of questions based on previous answers, but you cannot dynamically include data. You're also very limited in your options for layout. But aside from that, the ease of use and information security make them a good option.
With Legacy Forms, collected data is stored in a spreadsheet. Since the introduction of the new Forms, you need to first create your spreadsheet, then select Forms - Create Legacy Form to start. The "Summary of Responses" report reflects what is in the form table in the spreadsheet. Any changes you make to the sheet affect this, for example row deletion, addition, or information edits.
With the new Forms, introduced in February 2013, the collected data is attached to the Form, not a Spreadsheet. You can choose to have it copied to a spreadsheet, but since that is a copy, any edits you make to it will not be reflected in the "Summary of Responses". You can create a new Form from the "Create" dialog in Drive, or from within a spreadsheet.
Your spreadsheet must be shared as 'anyone with the link can EDIT', as long as you don't publish this link no one will be able to find it and it will not appear in their 'shared with me' category.
Your webapp however will allow each user to fill the spreadsheet with their date by using the form.
see this other post that shows a practical example.