Is it a common practice for app or script programmers to request access to all files even when unnecessary?
2,441 views
Skip to first unread message
Monica8
Jul 4, 2021, 12:19:01 PM7/4/21
to Google Apps Script Community
Hi everyone,
I found out that when I run a particular script it always requests full access to all files in my Google Drive and Google Doc ("See, edit, create and delete all your Google Sheets spreadsheets", "See, edit, create and delete all of your Google Drive files"). The company that made this script and needs me to run it doesn't really need that done for the small tasks this script needs to perform. I don't understand why such full access would be requested then, just some accidental mistake or is this common practice? Is there any other prerequisite for a developer to be able to access my files in actuality other than requesting such access as above whenever I'm to authorise the script?
I found out that when I run a particular script it always requests full access to all files in my Google Drive and Google Doc ("See, edit, create and delete all your Google Sheets spreadsheets", "See, edit, create and delete all of your Google Drive files"). The company that made this script and needs me to run it doesn't really need that done for the small tasks this script needs to perform. I don't understand why such full access would be requested then, just some accidental mistake or is this common practice? Is there any other prerequisite for a developer to be able to access my files in actuality other than requesting such access as above whenever I'm to authorise the script?
Thank you for any answer.
Alan Wells
Jul 4, 2021, 12:32:34 PM7/4/21
to Google Apps Script Community
There are a couple of settings (scopes) that can restrict access to your Drive and to just the Google Doc that the code is running from.
Probably what happens, is that they either don't know about how to do that, or they don't want to do the extra work.
The code editor evaluates the code and automatically decides what permissions needed to be asked for. (Authorized)
But the code editor doesn't have the capability to evaluate all possibilities and choose the most restricted scope.
So, it just automatically uses the most permissive scope.
So, it just automatically uses the most permissive scope.
They should change the code to a more restricted scope. It's a matter of trust.
The scopes can be changed to only allow access to the current Google Doc, and to only files in your Drive that you choose with the Google File Picker.
If that code needs to do a general search of your Drive to find a file or folder, that may be why the Drive scope is using full access.
But if the code doesn't need to search for files that the script did not create, then a more restricted one can be used.
It's more work to add the Google File/Folder picker to the app, and they may not know how to do that.
Monica8
Jul 4, 2021, 12:41:50 PM7/4/21
to Google Apps Script Community
Thank you for the exhaustive answer, that makes sense. They don't need to search for files, other than the file I'm running the script on. Would be nice if it just did the more restricted option by default. Would you say this
is pretty common then that a script asks for full access like this even when not needed? Do I understand that right?
Monica8
Jul 4, 2021, 12:49:59 PM7/4/21
to Google Apps Script Community
Oh, I have one more question: in my Google Sheets, there are sheets owned by me and sheets not owned by me. Does the above type of access allow access
to
the sheets not owned by me as well?
Alan Wells
Jul 4, 2021, 1:01:16 PM7/4/21
to Google Apps Script Community
Good question. I don't know for sure if that full access permission allows the script to also access files that have been shared with you. Because the script is probably running as "you" then I'm guessing that it does.
I'd say that it was common that full access is asked for. Most people writing Apps Script code probably don't know how to use a more restricted permission.I think there is also a bug that might be a problem. I've run into a problem with the code accessing the file that the code is installed in.
You'd think that the restricted permission would automatically allow access to the document file that it's installed in, but it doesn't.
That's actually a big problem.
So, it might have something to do with that.
For a long time Google didn't even provide a way to restrict access. They basically only did that when they started getting taken to court.
The situation is also very much dependent upon the skills and knowledge of the person who wrote the code.
Do you have access to the code? Can you open it up in the code editor?
Monica8
Jul 4, 2021, 1:10:18 PM7/4/21
to Google Apps Script Community
Thank you again for the answer. That makes sense too, yeah. I was wondering myself if there could be a problem with the code easily accessing the file like that if restrictions are applied. That explains even more of the situation. To answer your question, no, I don't have access to the code for the script.
Alan Wells
Jul 4, 2021, 1:15:32 PM7/4/21
to Google Apps Script Community
The only way that you can't get access to the code is if you don't own the Google Doc, or it was installed as an addon. Is it an addon?
Monica8
Jul 5, 2021, 12:19:21 AM7/5/21
to Google Apps Script Community
I don't own the Google Sheet file it runs on. Not sure about what you mean about it being an addon - I have to select a menu item from an extra menu in Google Sheet to run the script. Does that answer your question?
Alan Wells
Jul 5, 2021, 9:20:31 AM7/5/21
to Google Apps Script Community
Yes, that answers the question.
If you have edit access to the Sheet, then you can click the "Tools" menu and click "Script Editor" and the coded editor will open in a new browser tab with the code.
That would allow you to see the code. Then you could determine what the code is actually doing.
It is a security threat because it has broad access to your Drive, and you aren't sure if it's doing something that you are unaware of.
Monica8
Jul 5, 2021, 4:59:34 PM7/5/21
to Google Apps Script Community
Thank you very much for the suggestion, and yes I was able to open it that way. It seems to refer to a custom library a lot, and I didn't see much else in the script beyond that. I didn't see how to look at the custom library. Is there a way for that or do I need to even? I can send this to you, if you want, it's three small files I was able to download this way (other than the custom library)
Alan Wells
Jul 5, 2021, 6:09:04 PM7/5/21
to Google Apps Script Community
You can get the library key the same way that you'd add a library.
See:
You should be able to view the library code by getting the library key and they putting the key into a URL, and use the URL in the browser address bar to open the file in the script editor.
See:
Whoever is providing the code should have a more restricted scope if possible.
I guess it's a personal choice dictated by whether you trust them, and how much you need to use that Sheet, and whether you have a choice or not.
Or if its a service that you'd like an alternative for.
Monika
Nov 15, 2021, 10:16:30 PM11/15/21
to google-apps-sc...@googlegroups.com
Hi, sorry I never responded. I had a problem afterwards and could not deal with this issue too. Thank you again for all your answers, much appreciated! If I ever get another question on this, I'll let you know if you don't mind. Thanks again,
Monica
--
You received this message because you are subscribed to a topic in the Google Groups "Google Apps Script Community" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-apps-script-community/7jDTmJkhMLs/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-apps-script-c...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-script-community/10e7390b-c61a-407c-aae2-4663411ce834n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages