"exception: You do not have permission to access the requested document.” after ok by review team and appscript is published

[Stefano]

I publish my appscript, review teams get me all ok.

Now when users install it, they have an error: "exception: You do not have permission to access the requested document."

What could it be?

oAuth 2.0?

or My Scopes?

My AppScript is "unverified" status, could be this?

Thanks for help!

[Alan Wells]

You are using the scope:

../auth/drive

Which is a restricted scope.  Restricted scopes need to go through a security assessment, that you need to pay up to $75,000 dollars for.

If you are trying to publish you project to the GSuite Marketplace, then your project falls into the category of needing a security assessment.

The documentation for restricted scopes is at link:

https://support.google.com/cloud/answer/9110914#restricted-scopes

In your GCP settings, the scopes get set in two places:

1) The OAuth consent screen

2) The GSuite Marketplace SDK configuration

The scopes in those two places must be exactly the same.

You can't ask for restricted scopes in the Marketplace SDK, and then not ask the user to grant permission to some of the scopes in the OAuth authorization.

[Darren D'Mello]

Alan, is it compulsory that the addon has to undergo a security assessment fee of 75000$ if an apps script addon uses Drive scope?

I see that a lot many add-ons using drive scope would not display unverified.

How is this possible?

--
You received this message because you are subscribed to the Google Groups "Google Apps Script Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-script-c...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-script-community/6fbd0d78-f9b5-4c70-8013-3e412a6707ca%40googlegroups.com.

[Stefano Congiusti]

oh thanks!

Up to 75.000$ wow....OMG I hope Google team doesn't want them after publishing :)!

Darren:I read some exception to security assessment....as 100 users limits  (as my app script that had 100 users counter) or personal use.

So to publish for everyone,  even if I update oAuth 2.0 as OAuth consent screen I could never access to google user's drive.

mmm I use user's drive to create a file as database....how could be solve it? Is there a solution?

--

[Andrew Roberts]

Correct me if I'm wrong, but my understanding is that you only have to have a security assessment if you use a restricted scope AND access a third-party service (i.e use UrlFetch.fetch*()). Google don't want you sharing user data with third-party services unless they are happy it is safe to do so.

https://support.google.com/cloud/answer/9110914?hl=en#security-assessment

"If you submitted an app that requests restricted scopes, and the app accesses Google user data from or through a server, one of the follow-up verification steps will be to get your app reviewed by an independent security assessor."

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-script-community/CABEd-bzez-98TVVgotuaNev%3DWh9NsQGEkMdnJu7vNXZsWkHz_A%40mail.gmail.com.

[Darren D'Mello]

Andrew I think you are right.

Alan, Romain, Martin, Fausto and others please could you all put forth the ideas?

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-script-community/CAN1QPJQLVPo3-vBa2rjQF4XEhF5kP-bcFGcS7cuo9-hQKCjrBw%40mail.gmail.com.

--

Best,

Darren

[Darren D'Mello]

Andrew I think you are right.

Alan, Romain, Martin, Fausto and others please could you all put forth the ideas?

--

Best,

Darren

[Alan Wells]

I believe that it is correct that you can still use restricted Drive scopes without needing a security assessment as long your app doesn't somehow have the capability to send data/information out somewhere.  For me personally, I need to use UrlFetchApp.fetch() so I haven't tried it.  Although there are probably other options.

But anyway, your settings still need to be correct.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-script-community/CAHeo4XiXhEepKOSCEBMOmOVxbYWY_xH7CrX3BK9Ymh6tHxpV%3DQ%40mail.gmail.com.

[Stefano]

Ok, I delved into the matter and documentation  says:

"If you submitted an app that requests restricted scopes, and the app accesses Google user data from or through a server, one of the follow-up verification steps will be to get your app reviewed by an independent security assessor. This assessment helps keep Google users’ data safe by verifying that all apps that access Google user data demonstrate a minimum level of capability in handling data securely and deleting user data upon user request.
Assessments will be conducted by a Google-designated third-party assessor, may cost between $15,000 and $75,000 (or more) depending on the complexity of the application, and will be payable by the developer. This fee may be required whether or not your app passes the assessment. We expect that fees will include a remediation assessment if needed. If your app has previously completed an adequate security assessment as determined by the assessor, you will be able to provide a letter of assessment that may reduce the scope of the review."

Then:

Why is the security assessment needed?
To help keep user data safe, we are requiring apps that are requesting restricted scopes and store data or have the ability to store data on (or transmit data through) servers that are not fully managed Google services to demonstrate a minimum level of capability in handling data securely and deleting user data upon user request. Customers manage Google Cloud and FirebaseCP services, so they would still require a security assessment. Google fully manages storing user data in Google Drive via drive.appdata, so this type of data storage does not require a security assessment.  

How will the security assessment work?
First, your application will be reviewed for compliance with the Google API Services: User Data Policy via the restricted scope verification you submit through the Cloud Console. Upon completing most of the checks in the restricted scope verification, you will receive an email with third-party security assessors who you can contact and use to perform your security assessment.
Assessments will be conducted by a Google-designated third-party assessor, may cost between $15,000 and $75,000 (or more) depending on the complexity of the application, and will be payable by the developer. This fee may be required whether or not your app passes the assessment. We expect that fees will include a remediation assessment if needed. If your app has previously completed an adequate security assessment as determined by the assessor, you will be able to provide a letter of assessment that may reduce the scope of the review.

Why is Google charging a fee for the security assessment?
The assessment fee is paid directly to the assessor and not to Google. A certified third party will complete the security assessment to ensure the confidentiality of your application. Depending on the scope and complexity of your app, the cost for the third-party assessment may vary from $15,000 to $75,000. Smaller apps will be on the lower end, while more complex apps will require more review and expense.
Existing assessments that meet the security assessment program standards might reduce the scope and cost of your review. The assessors will consider existing assessments in their review.
Because we’ve pre-selected industry-leading assessors, the letter of assessment your app will receive can be used for other certifications or customer engagements where a security assessment is needed.

So there are also some exceptions as up to 100 users or/and AppScript for personal use (my optionS). This exceptions give the option to not submited to review, however I have to do it anyway (I don't know why...)

Now my doubt:

So from this questions and answers I have understood that for google drive in my app script there is not a security assessment...just a verification. What do you think it?

I would be curious to understand how they contact the assessor and how payments works...mmmm....

Now I've unpublished my appscript, add scopes in oAuth 2.0 and republish app.

Suggests? What do you think about all this?

[Alan Wells]

It's good that you added more scopes to your oAuth 2.0.

If your add-on is not making external requests from the server, then you shouldn't need to go through the security review.

Previously, your OAuth 2.0 settings didn't include the scope.

/auth/drive

and therefore your user probably wasn't being asked to authorize access to their Drive, and so when your code tried to use the Drive Service, it would have failed.  I'm guessing that's what could have happened.

You can test the installation of your add-on yourself by logging into a different Google account than the one you used to develop the add-on, and installing the add-on for yourself.  If you don't have another Google account, then you can create one for doing that test.  You don't need to wait for users to tell you that there is something wrong.  If you do that, then you could have bugs that you never know about.

[Stefano]

Oh my god....I have added oAuth 2.0, I have done republishing and team review gets me ok...but SAME PROBLEM! :(((

Code error: 550

I don't know what could be and how to solve it.... do you have any suggestions?

could be unverified app?

I don't understand because my app is yet unverified....my domain is verified....

[Alan Wells]

What is the line of code that generates the error?

[Stefano]

When i call this function:

function gestiscidatabase()
{

var fileid = PropertiesService.getScriptProperties().getProperty('FILEID')
Logger.log(fileid)
if(fileid !== null)

{
 var htmlOutput = HtmlService.createTemplateFromFile('interfacciaDB')
 htmlOutput.avviso = "Database PRESENTE"
  htmlOutput.name = SpreadsheetApp.openById(fileid).getName()
  SpreadsheetApp.getUi().showSidebar(htmlOutput.evaluate().setTitle("ValueYourTime2020 - Gestione Database"))

}

else

{

 var htmlOutput = HtmlService.createTemplateFromFile('interfacciaDB')
 htmlOutput.avviso = "Database ASSENTE"
  htmlOutput.name = "ATTENZIONE: Database assente"

  SpreadsheetApp.getUi().showSidebar(htmlOutput.evaluate().setTitle("ValueYourTime2020 - Gestione Database"))

}
}

Peraphs do I have to add any other scopes?...mmmmm I don't know it.....

[Alan Wells]

Are you calling:

gestiscidatabase()

from an onOpen() onInstall() or onEdit() function?

[Stefano]

function onInstall(e) {
  onOpen(e);
}
//
function onOpen(e) {
  SpreadsheetApp.getUi().createAddonMenu()
  .addItem('Mostra interfaccia', 'avvisodatabase')
  .addItem('Gestisci Database', 'gestiscidatabase')
  .addToUi();
}

I call it from onOpen and onInstall.

[Alan Wells]

Okay, it's called from the user selecting a menu item.  It's not called directly from onOpen or onInstall.

Those are two different things.

That's not a problem.

Who owns the spreadsheet?  Your code gets a spreadsheet file ID from script properties.

Is that spreadsheet owned by the account that installed the add-on?

[Stefano Congiusti]

Yes, user is owned.

My code creates a new spreadsheet file to use it as database. I call It from ID.

--
You received this message because you are subscribed to the Google Groups "Google Apps Script Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-script-c...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-script-community/6146787f-5aba-406f-b8f5-9eea05147b5c%40googlegroups.com.

[Alan Wells]

Your are checking for a file ID with:

if(fileid !== null)

But it could be an empty string or undefined.  Try changing the test to:

if (fileid && fileid.length > 5)  //The fileid var is truthy and has a length greater than 5

To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-script-community+unsub...@googlegroups.com.

[Stefano]

I try it but isn't...BUT you gave me an idea. I try to bypass 'gestiscidatabase()' to run directly and creates file......and it runs!!So problem is not oAuth in Google Drive. So Log give me: problem at 550:36 that is " htmlOutput.name = SpreadsheetApp.openById(fileid).getName()".

so problem could be when I pass var name to html file? But question is in this function.

[Alan Wells]

You are chaining methods, and there is an error somewhere in the chain, but it's hard to know where in the chain the error actually is.

There may be advantages to chaining methods, but obviously, in this situation, it's not working for you.  You are not catching the error,

and your add-on is failing.  At least for debugging, I'd break up:

SpreadsheetApp.openById(fileid).getName()

to:

var ss = SpreadsheetApp.openById(fileid);

var ssName = ss.getName();

Then you can know for sure what method id creating the error.

You can keep guessing at what the problem is, or narrow it down to the exact code.

[Stefano]

I've solved it! Thanks for your suggests were important!!

Problem were proprieties service.

FileId was created by method: getSCRIPTproperties, so when fileid was called, it was called the script proprieties and not USER proprieties!

So I've renamed all getscriptproprietes to getuserproprieties and it runs!

So I ask me: Why permission error?

As you write me, fileid was not null. Why? Because it  calls saving date by my(personal) script proprieties, but Google don't give access to information (.getname) (peraphs because user is not in my organizazion).

I think was that...

So thanks thanks thanks!!!

[Alan Wells]

I should have mentioned that the error message was probably wrong.

That does happen occasionally.

The real error had nothing to do with permissions, but that the file ID was null.

This is why I have lots of error handling in my code.

It's hard to imagine every possible thing that can go wrong.

There are probably millions of things that can go wrong.

It's not humanly possible to think of every possible thing that can go wrong, . . . . so catch the errors.

Thanks for reporting that you found the error and what it was.