auth/drive.file scope combined with "auth/spreadsheets" scope in a Forms add-on

[Alan Wells]

I'm developing an add-on with the Apps Script project bound to the document (Form).  And I have the Drive scope set to:

"https://www.googleapis.com/auth/drive.file"

But I also have the scope:

"https://www.googleapis.com/auth/spreadsheets"

The spreadsheets scope, gives broad access, and the spreadsheets scope seems to override the auth/drive.file scope when the code is doing anything with spreadsheets.  Which means that the code has broad access to Sheets files regardless of the auth/drive.file scope.

For example, I used the following code to add a new sheet tab to a Sheets file, and the Sheets file was manually, newly created.  So, the file was never picked with the picker, and it was not created by the script code.

function testAccess() {
 
  var ss = SpreadsheetApp.openById('my new Sheets file ID');
  ss.insertSheet('new test name')
}

The code ran with no error, opened the spreadsheet and added a new sheet.  I would have thought, that the /auth/drive.file scope should have prevented access to the new manually created file, and generated an error.  But it didn't.

I also put the bound code into a stand alone file, and used, "run" - "test as add-on" and got the same results.  It's pointless for me to use the "currentonly" restriction on the spreadsheet scope, because this is a Forms add-on.  There is no currently active spreadsheet for the add-on.  It's a Forms add-on.  So, I can't restrict access to spreadsheets with "currentonly".  I don't think. 

I guess the real test will be when I try to create a PDF file, which my add-on needs to do.  That's my next test.

[Eric Koleda]

Yes, that sounds like it's working correctly. Your app has the capabilities allowed by the union of your scopes, so requesting an additional narrow scope shouldn't remove capabilities.

- Eric

[Alan Wells]

Thanks for confirming.  I'd never thought about the end result of the union of overlapping scopes before. It makes sense.

--
You received this message because you are subscribed to the Google Groups "Google Apps Script Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-script-c...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-script-community.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-script-community/e50ec0e5-360d-443c-a8b0-62b66128d9e7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.