Spreadsheet Editable only with HTML Service gui? - google-apps-script

I have a Google App spreadsheet that I would like to make available to anyone with the link. It uses a custom gui to edit the cells of the spreadsheet. The custom gui is a html file launched using the HtmlService class in the Google Apps Script file.
How can I adjust the settings of the sheet so that anyone can open the spreadsheet and use the custom gui to make changes to the spreadsheet, but not make changes through any other means?
Here are the results I've had under various scenarios.
The gui works as expected but the sheet can be modified without it:
Anyone with link can edit
Gui launched via custom menu (App script runs as user)
The gui works as expected but the sheet can still be modified without it:
Anyone with link can edit
Gui launched via installable trigger (App script runs as trigger owner, which is also the document owner)
The gui cannot edit the sheet and neither can users otherwise:
Anyone with link can comment
Gui launched via installable trigger (App script runs as trigger owner, which is also the document owner)
My thought was that since the installable trigger is running as a user with permissions to change the sheet, that would work. Does that trigger's permissions not extend to a HTML Service gui that it opens?

Its not related to htmlServices. Simply any gui that you launch by any means from the spreadsheet will run as the user using the spreadsheet.
You need to publish the service (to run as the script owner) and use that gui through its service url, NOT launching it from the spreadsheet (menu etc).

Related

Google doc generated by app script has unexpected owner

Beginner question – I have an app script in a Google Sheet (response sheet from a Google Form) generating Google Docs. It is unexpectedly making me the owner of those docs. The business owner is the owner of the form, sheet, doc template, and shared Google Drive folder where the docs are. She has given me edit access to all. She also is shown as the owner of the app script “project” in the sheet. The app script creates a copy of the template doc in the shared folder, and populates it with data from the form. I am the owner of these new documents, why is that? I am only editor of all the components involved. Can I fix it so that she is the default owner of the new docs?
The newly created documents will be owned by the account that runs the script. This is clear enough when you run the script manually, but it also happens when you run it through an installable trigger. The trigger owner will own the files created while the function runs.
Check who owns the 'formSubmit' trigger.
(From your script editor, view your triggers. The left most column will show who the trigger is owned by.) Since your name is appearing as owner, the trigger is most likely still owned by you.

Are Google scripts attached to a readonly spreadsheet visible to the user?

I'm working in a Google Script that runs on a a Google Spreadsheet and creates an onEdit() trigger on it.
I would like to know if this script is somehow visible (through Google's interface or any kind of source code inspection) to the users that access the table with readonly permissions.
From my understanding users would not be able to access such a script, since they are suppose to run on Google's server side and not on the client browser. I couldn't find anything about that on App Scripts documentation.
Regarding the use of a web browser developers tools (like right click and selecting Inspect) over a spreadsheet they will not the script code if you do right clic over an spreadsheet but it might show the name of functions called by a custom menu or image with an assigned function, not the code of the onEdit function.
User with view access can't view the code but, if you didn't disable disabled make a copy, they see the code if they made a copy of the spreadsheet.
An alternative to limit users to make a copy of the spreadsheet is to publish your script as an add-on.
Related
How to protect the Apps Script code in a Google spreadsheet?

google apps script: remove and restore protection

I have a spreadsheet that is editable by everyone with a protected sheet with some ranges unprotected.
I want cells that can be altered by a script run by any user (from a menu), but not manually.
When I run the script not as the owner it gives an error message when I try to temporarily remove the protection.
There seems to be no easy way to do this, because functions run from the menu is always executed as "user at the keyboard".
One workaround is to publish a Web App to always "Execute as" Owner. This web app will then write to protected ranges on doPost(). The function linked to Menu UI will then use UrlFetch to POST to the published Web App. You can also use some basic authentication with a password/randomly generated numbers to reject requests from outside your script.
Also, If you don't trust editors not to mess with your bound script, It's better to publish it as a private add-on, where the source code is not easily accessible.

How to run a Google Apps Script in a read-only spreadsheet?

I'm new to the world of Google Apps Script, and I found myself faced with a problem. I've created a script that runs as an onOpen() trigger, but if the spreadsheet file is read-only, this script does not run. I read that, being read-only, it is not able to run it. Is there a way to remedy this problem?
I gave the permissions in edit, blocking all the cells from scripts. I wish people can not see the script, as this allows them to re-run the script and take "power" on the sheet. If I create an API can I keep the sheet read-only?
Any suggestions?
All scripts must run under someone's authority. Under whose authority, a script is run determines whose data is accessible to the script and whether such authority can run the script.
Authorization Concepts:
Scripts which are run from the script editor run under the authorization of user at the keyboard¹. Custom functions runs anonymously. Installable triggers runs under the user created the trigger. WebApps run as per the options selected during deployment.
Simple triggers fire automatically and anonymously under these restrictions²:
The script must be bound to a Google Sheets, Slides, Docs, or Forms file, or else be an add-on that extends one of those applications.They do not run if a file is opened in read-only (view or comment) mode.They cannot access services that require authorization.
Installable triggers must be set up and run under the user who set up the trigger³.
They do not run if a file is opened in read-only (view or comment) mode.Installable triggers always run under the account of the person who created them.A given account cannot see triggers installed from a second account, even though the first account can still activate those triggers.
You can restrict access to spreadsheet, sheets or ranges⁴,⁵.
Deductions:
Mr.A(Owner) has a spreadsheet. The spreadsheet has two sheets 1.Main Sheet and 2. Secret Sheet(Sheet is protected and hidden to be edited only by Mr.A). It also has the following scripts: 1. A simple trigger script(onEdit) to set timestamp as a note in every cell that is edited. 2. A installed trigger (AonEdit()) to send email from MrA's email on every edit. 3. A function(summary()) to create a summary of Main Sheet and send email from user's account to himself(to run manually from script editor). 4. A function to protect the secret sheet(protect()) 5. A simple onOpen() trigger logging Someone opened your sheet. And He gives edit access to Mr.B(a editor). What can Mr.B do?
Mr.B edits cell A1 in Main Sheet:
Simple trigger onEdit is fired anonymously and a timestamp is set on A1 as a note.
Installable trigger AonEdit is fired under Mr.A's authority and a email is sent from Mr.A's gmail.This is not known to Mr.B,though he can see the script itself.
Mr.B,being a cunning person as he is, unhides the secret sheet successfully and attempts to modify it:
Mr.B could not modify the secret sheet,even though he can fully unhide/view it
Mr.B finds the script editor and tries to run the function summary(). This function needs gmail permission. Mr.B is greeted with authorization[¹] for Mr.B's gmail account,so that the function may run. Mr.B grants authorization and the summary is sent from Mr.B's gmail account.
Mr.B cunningly modifies the protect() function to grant himself edit access to the secret sheet. The user at the keyboard is Mr.B. Mr.B's authority is not enough. He's greeted with the following error:
You are trying to edit/remove a protected cell or object. Please contact the spreadsheet owner to remove protection if you need to edit.
Mr.A (Owner) knows about this unauthorized access attempt by Mr.B, He restricts edit access to All sheets. Now, Mr.B even though has permission to edit the spreadsheet, He cannot edit any sheet in the spreadsheet. Whenever he opens the sheet, the simple onOpen() is triggered logging Someone opened your sheet. Mr.B however can run the function summary() even now(If he has the script editor link) to get the summary of the sheet.
Solutions:
as this allows them to re-run the script and take "power" on the sheet.
A user with write permission can enter the script and modify the permissions.
As explained above, That wont be possible. The sheet/range edit permission is maintained even at the script level. However, A potential loop-hole is the AonEdit() function. If Mr.B were to know that Mr.A had set up a installable trigger for AonEdit() function, He can modify the AonEdit() function to say protection.remove(),which will run under Mr.A's authority(Installable triggers run under the person who created it) and thus the protection is removed.
I wish people can not see the script.
You can use a standalone script⁶. You can also use installable triggers[³] with standalone scripts subject to the restrictions of those triggers(such as It'll only run under your authority). Since the script is not bound to the spreadsheet, Editors on the spreadsheet do not have edit/view permission on the script. Alternatively, You can publish a addon⁷/webapp⁸.

How to allow to run google script on a protected sheet (in a spreadsheet) [Can't use trigger and web app]

I'm coding a script for a spreadsheet. This script creates a menu.
Then by choosing an option in this menu a function (which uses API) will run in order to filter some columns and hide others.
The problem is:
This sheet is protected (because shared with coworkers) but I want to allow people to run the script, which is impossible without the permission.
I already looked at different solutions:
Using a trigger: Doesn't work because a trigger can't correctly call a function which uses API (yes, my functions use API).
Web App: When the script is run from the spreadsheet, the script is run as the current user, not the script editor. (the web app is efficient if the user uses the HTML page.)
Remove protection -> run the function -> Re-add protection: Can't modify the protection without permission, which is logical.
Add the current user in the list editor -> run the function -> Remove the current user from the list editor: Can't modify the editor list without permission, which is logical.
How can I solve this problem?
This is a pain that I have not seen a good workaround. Google should know that in a collaborative environment that the owner would create script and want users to be able to run those scripts while at the same time not messing with formulas or cells that you desire to protect. The only way I have found to solve this on the sheet itself is to Unprotect and then Protect the cell or range you are making modifications to during the script run. Do be mindful that if the script fails in the middle (after you have unprotected it) the cell remain unprotected. Might want to run within a "try" script.
Are you the spreadsheet owner?
If no, you are not authorized to bound an apps script on it.
But you can make a copy of the spreadsheet by duplicate it and save in your drive.
If the spreadsheet is created by you yourself, maybe you created it by another username. If it does, log in by that user and change the sharing option to allow the specific user can edit it.