I inserted a google apps script as a gadget in a google Site. This GAS implements a page on html service and is intended to capture user data and store it in the ScriptDb of another script. Playing around, I noticed that viewing the source code of the google site any user could access directly to the GAS via an url displayed on the source of the Google site. I followed this link, and there was the GAS! From this link, I tried to save new data to ScriptDb, and I found that fortunately this was not possible. Doesn't this behaviour represent a security issue? Can I be sure that It is not possible to modify the ScriptDb data from this embedded link?
The ScritpDb your script creates can only be accessed accessed by that script's code - just because you have the URL to the published script or even if you have code in some form DOES NOT give you access to the ScriptDb.
However, lets say if in your doGet if you are blindly dumping out all the data to HTML output if a certain predictable parameter is passed in, then that is bad. But that would be considered a programming error.
So in short - if your ScriptDb is properly wrapped with the appropriate Apps Script, then access to that ScriptDb is secure.
I can clarify more if you share some code around what you worry might be insecure.
Related
I created a small app on top of a spreadsheet (with GAS and HTML, CSS) and I deployed it.
Users can access to it without having to enter in the spreadsheet.
It works really well but i'm not able to see even the basic analytics (for eg. the number of viewers)
Thanks
Go to the project overview page. In the Google Apps Script web IDE, on the lefmost sidepanel click on Overview.
Also, if you have starred your project, go to https://script.google.com/home/starred
Rather than "viewers" you will see "users". If you have set your web-app as execute as you by anyone even anonymous, you will see only one user, you, as this page show the users that exectuted the scripts like the doGet function and the server-side functions called through google.script.run.
Note: https://script.google.com keep execution logs for the last 7 days. If you need to keep the logs longer you have to use another place to keep these logs, i.e. Cloud Logging (requires a Google Cloud standard project), Google Sheets spreadsheet.
Resources
https://developers.google.com/apps-script/guides/logging
Related
Effective way to debug a Google Apps Script Web App
I have google sheets addon in Google Workspace Marketplace. I want to store the emails of the users installing the addon. I'm thinking of three possible ways.
Write to private spreadsheet under the addon account (different than the user's). Addon is running under user's so the question is, is this even possible - accessing the addon account (specifically writing to a spreadsheet) from within the user google account context?
using PropertiesService - Write the user to script properties using PropertiesService class.
One problem with this one is the limitations as explained in Quotas for Google Services.
for me, at lease for now, this is enough.
However the question is how to access those script properties programmatically.
Of course I can access the data from the script editor, but this is not practical if I want for example to send mail to all the users.
adding code to the addon that will be available only for specific users (admin). In this case since I can read the users from the script properties, and maybe write them to spreadsheet to be used later. This looks ugly, I admit.
I'm not asking for code solutions, but suggestions for the right or best approach.
The easiest solution is to create a database
Create a spreadsheet located on your Drive, shared as "Everyne can edit".
Implement a flow where after Add-n installation data containing the user"s email will be appended to the spreadsheet.
This request will take place on user's beahlf, however given that the spreadsheet is shared publicly, there won't be any access permission issues
Even if the spreadsheet is shred publicly - given that the spreadsheet id is not known by anyone other than the Add-on code, you do not need to worry about undesired access to the database.
Is it possible to bypass the verification process or at least the VERY SCARY "Go to (unsafe)" in tiny letters next to "BACK TO SAFETY"?
I sometimes have a shared Google Sheet that is meant to be used by a volunteer organization (think neighborhood HOA or PTA, etc) and I add Apps Script to add menus to assist with adding or editing information on that Sheet only. I don't request any user information and I'm not using the script to access the users Drive or Gmail or other sheets.
I haven't been able to find good documentation on this, but I can't tell if the Verification requirement stems from:
The fact that there is a script running at all
Some call I'm making to an API that is sensitive (and maybe I really am getting access that I don't realize?)
Use of HTML forms
If it's the 2nd that could mean some changes could render my scripts harmless - Fyi a possible culprit is the use of SpreadsheetApp. I use that to access .getActiveSheet(), .getActiveSpreadsheet(), .getUi().showModalDialog(), .Dimension.ROWS, .getActive().getSpreadsheetTimeZone(), .getUi()
.createMenu()
I'm creating a spellchecker using the Google Docs API in an Apps Script (just a script that extends the functionality of a Google Doc), and I wan't to make this service available to users whom download it as a Web App. Problem is that when I've made my (Container-bound) script in the script editor, it is only available in the Google Document through which I created it - that is, if i open a new document, I cannot use the script.
If I "Deploy as Web App", make it available to everyone and paste the given URL, I get an error message saying that the script needs a function called doGet(), which is not in my script.
How do I go about to publish my script as a regular web app?
I would proceed by creating two scripts:
the core functionality would be deployed as a Web App and a simple container-bound script would offer an interface to call the Web App.
Since the Web App is not bound to a document you may want to follow this scheme:
function doGet(e){
if(e.parameter.docId){
doStuff(DocumentApp.openById(e.parameter.docId));
}
}
Now when you deploy the app you will get a link that gives you access to the functionality.
From the container-bound script you can add some UI (e.g. an Anchor element in a side-panel) that links to the web app with the appropriate parameters
ScriptApp.getService().getUrl() + "?docId=" + DocumentApp.getActiveDocument().getId()
or use UrlFetchApp to get the results and display them in the UI.
Unfortunately this is not the same as adding the functionality across all your documents automatically, but rather a way to install only a relatively lightweight hook in each document where you want to add the functionality, instead of the full script.
I am not aware of any method that can achieve that. Note that when you make a copy of a document, the copy will contain all its scripts so you can create a template for documents that need the additional functionality. This can get ackward though if you wish to mix and match multiple scripts.
The advantage of my method is that if you modify the core functionality, the change is immediately available to all your documents making use of it, with no need to update their scripts. On the other hand if the container-script needs to interact heavily with the UI it may get complicate and reduce the usefulness of separating it in two scripts.
The answer is in your question : the main function of your script (the one that builds the UI) must be called doGet() (this is the conventional entry point of any GAS webapp, the function that you implicitly call when opening the webapp url)... but I'm afraid this will not solve your problem...
Even if I don't know what is in your script and how you wrote it I guess that it refers to the doc in which you bound it as the "active document" and that will probably be the most important issue since a webapp has no document attached to it.
Beside that, how would a spell checker work as a standalone app ? could you explain more clearly what you want to do ?
I've got an ambitious first Google Apps Script project for use in a Google site.
Using a spreadsheet database I have a list of Google users that each have a unique URL to a service at a non-Google website.
What I need to do is place a link in a Google Site that will
Get current user id based on logged in user
Interrogate spreadsheet database for the unique URL based on Google user
open the unique url in another tab/window
Any pointers or code snippets would be very much appreciated, especially around minimising user authorisation. As it is a Google Apps domain the script could be pre-authorised as a trusted script if that is even possible.
Thank you
I did write a site gadget that does exactly what you want, (except that users have to enter their name because the site is public and I wanted to avoid asking authorization), you'll find the code and explanations here, I'm not going to reproduce the whole code here but in short it allows to enter a name (even partially) and looks for any match in a spreadsheet list then shows a link to an individual url. It is also possible to see it working on the same page.
(see page bottom, it looks like this)
To answer your second point, there is no way to avoid the authorization process, the idea of 'trusted source in a domain' has already been mentioned in a few discussions with project members but for now it is not possible.