I have been working quite a lot with Google Apps Script lately, but there is one thing that still is very unclear to me and the docs do not hint about it at all:
When publishing a script as a WebApp (access: Anyone, as: User accessing the WebApp) and asking for permissions (e.g. GMailApp access, UserProperties and Trigger) and then afterwards changing that script (but not asking for any additional permissions, just changing code) and publishing it again, it seems as if triggers being run by Scripts priorly authorized by users lose their authorization (e.g. the user gets an email with a failure message: Authorization is required to perform that action. from that script).
I read about libraries being independent based on their version, but accessing GMailApp from within a library or a Trigger within a library is not possible as it needs the active user? Is there any way around this? What is the suggested upgrade path, e.g. how can I make (code) changes to the script without making it fail for existing users?
Some services - gmailApp and mailApp for sure- are considered as sensitive matters by Google and therefor any modification in the code, even a very minor change, implies a renewal of the authorization. I can't remember exactly right now where I read that info but I'm pretty sure I read it (!) and I saw it also as a Googler answer somewhere in this forum. Forgive me for not being accurate concerning references.
Anyway ... that explains why you have these authorization issues with your script and AFAIK there is no way to avoid this process.
That said, your users should get an authorization screen, not an error message for services that they use in your app.
If you use triggers in your app (that you set yourself of course) then you should run these functions yourself manually to pass the authorization since the triggers are executed under the authority of the one that creates them, no matter how your webapp is published.
I hope I'm clear enough, if not refer to the doc about installable triggers and this doc also.
Related
I have a similar question to both of the questions below. I have a script bound to a google sheets, and I use this sheet as template. However I'm looking for an option to not have to grant permission each time I copy the file.
From reading the answers in the questions below, I understand I have to publish a standalone script as an add-on.
However, reading this answer, I see that I need to create a Cloud Platform Dashboard and all bunch of stuff which looks pretty messy to me, such as google reviewing process. Again, it is only for personal use...
Is there a way I can privately publish it as an add-on, without having to go through all the process?
Thank you
What is the best way to create Container-bound Scripts that can be cloned?
Grant permissions on open for first time for a bound script in Google Sheets
If you don't want spreadsheet hook triggers like onEdit or button or anything else, You can use a standalone script.
A standalone script can be written, which loops through your spreadsheets doing what's needed based on a time trigger.
Adding to the already existing answer
Publishing a private add-on does not require going through the Google Review process, especially since it is for personal use only.
Therefore, the situations below do not require verification:
If you want to deploy the add-on solely for internal use which means that the add on will be used only by people in your Google Workspace or Cloud Identity organization.
If you want to use the add-on domain wide which means that the add on will be used only by Google Workspace enterprise users within the domain.
For the whole list of exceptions from the verification process, you can check this here.
Reference
OAuth API verification FAQs.
Why am I not able to give permission/authorization to a Google Apps Script that I also made using the same Google account?
It seems like Google doesnt trust myself to use my own Google Apps Script with my own Spreadsheet.
Here is the line of code that breaks everything. If this line doesnt exist, I'm not asked for permission.
var sheet = SpreadsheetApp.getActiveSheet();
So it's trying to access the spreadsheet that created this Google Apps Script, also made using my account but I cant grant permission.
When I run the line of code above, I am told I need to give permissions, so I do by selecting the account name I am already logged into. I am greeted by this error,
This app isn't verified
which unfortunately does not provide competent documentation to troubleshoot.
Any feedback or help would be much appreciated! Thanks!
Click on the "Advanced" link and you'll be able to authorize your script.
To reduce the scope of permissions you request, you also have the option of declaring your script project to be only able to interact with the bound document:
/* #OnlyCurrentDoc */
function myFunction() {
...
This declaration is incompatible with some methods (such as SpreadsheetApp.openById()), and using an incompatible method results in an error in the application execution.
Successfully adding it to your project is generally sufficient to remove the "This application is unsafe" layer of the authentication flow, meaning the authorization and permission list is not hidden behind the "Advanced" tab.
In addition to declaring as current document only, manually editing the requested scopes of your project in its project manifest can help reduce the perceived threat from an unverified application (for example, retaining only the "read_only" version of certain scopes, where applicable). Apps Script documentation offers more details on project manifests.
I have a system (I'm the only user of this system, and that's not expected to change, ever) in which spreadsheets are copied from a template file. This template has a script, which populates a few menus to perform some operations. So each new copy of the template spreadsheet has its own copy of the script. The problem with this is that every time a new spreadsheet is used, the user (me) has to authorize the execution of the script. This didn't use to be that bad, but the authorization process has recently become way more annoying (see for example https://developers.google.com/apps-script/images/unverified-app-ui.gif). Given that I'm the only user of these spreadsheets, I think this process is unnecessary and wish to get around it.
I have tried to get around this by extracting the code into a standalone script file and publishing as an add on (https://developers.google.com/apps-script/quickstart/docs) but actually publishing it requires me to pay 5 dollars, and I think this is ridiculous given that I am the only user.
Any other ideas?
Thanks in advance.
AFAIK, that's the intended behavior. Check guide to the authorization lifecycle for add-ons.
Add-on automatically runs its onOpen(e) function to add menu items when a document opens — but to protect users' data, Apps Script restricts what the onOpen(e) function can do.
Note that only published add-ons can be in AuthMode.NONE.
The concept of authorization modes applies to all Apps Script executions.
Is there any way to invoke a Google Apps Script which serves content and limited to a domain within another Google Apps Script which is invoked by a user who is in that domain? Basically the content serve script is something which runs on administrator of the domain and serves private information.
I think it should work when content serving script is made, available to anonymous usage, but I wanted the content serving script to be available only within domain.
You could publish the first script as a web service, and then just call the functions remotely.
This can be done because when you publish as a web application you set the permissions with which the script gets executed.
https://developers.google.com/apps-script/execution_web_apps
Unfortunately, this isn't possible, as the script request aren't executed in the name of the author neither the user executing it, setting anonymous usage for the script should work.
But you can pass an argument through post or get. so even if anyone can invoke the script, only the script invoked with a key argument will do something
The question that remain is what to use: get or post
I don't know if request made by the script are done in https, so it's maybe a better solution to use post.
is a library what you're looking for? Remember this may slow down executions (vs just binding the script to multiple files like normal)
https://support.google.com/docs/thread/13371261?hl=en
Yes, it is possible. The simplest solution is to create an Apps Script library. You can use either a standalone script or a bound script as the library. I prefer to use a standalone to make it easier to access, and you won't be able to use functions that are specific to bound scripts that could mess up your script.
HERE is a quick video demonstrating how to get a GAS library setup.
https://www.youtube.com/watch?v=TqWtSp4IJcg&feature=youtu.be
In my organizzation, I created an internal site with a script callable from different pages inside that reads / writes data from various spreadsheets and send mail.
For testing, I shared the site and documents with a my colleague but he can't run the scripts because appears page to request permission:
"... This script is Requesting permission to do potentially harmful operations. Only authorize the script if you truly trust the author!"
if my colleague click on "authorize" nothing happens.
I give to my colleague the link of the script (not the page that embeds the script), clicking on "authorize" he received a long email from google where it is explained that authorized the execution of the script but instead continues to not work ..
The one way to allow the execution of script is to run the script directly from the editor to grant permissions.
I can't do it for other colleagues!!!
I'm really unhappy about this. I worked a lot on the script but now I realize that I can't do it to my colleagues for another google's big bug.
I have a script that uses also spreadsheet and mail service and I have not any difficulties with authorizations ...(after the red screen is approved user have full access to the app)
Are you sure there is not something else that could prevent your script to work with other users ? A document that is not shared or a call to an external api or whatever ? All I can say is that the current procedure is far more convenient than it used to be a few month ago and that I see not bug on that just now...
In my experience with scripts in spreadsheets, new users have to run the script, authorize it, and run it again.