How to prevent collaborators to use the addon at the same time with the owner?

[Hoang Trinh]

Hi everyone,

I'm working on an addon project.

When my addon's user shares the document with some collaborators, all of these collaborators can also use my addon.

This will cause error in my system because when the document is shared, the Session.getActiveUser() returns empty string, so all the code that need user's authorization will fail.

How do you solve this problem in your addon? What is the best practice here?

Is there anyway to allow the collaborator to use the addon without causing error? And in that case, the code execution is under the role of who? The owner or the collaborator?

Thank you.

[Andrew Apell]

I would like to understand one thing first:

How did you publish or share your add-on and is it bound to a spreadsheet or standalone?

[Hoang Trinh]

Hi Andrew,

To answer your questions:

• The addon is a standalone script
• I published it to both G Suite Marketplace and Addon Store followed this guide https://developers.google.com/gsuite/add-ons/how-tos/publishing-editor-addons (and Google had approved it)
• About sharing with other collaborators:
• First I created a form
• After that, I installed the addon from Marketplace
• I configured something in the addon
• I share the form to other collaborators using "Add Collaborators" feature of Google Forms
• Now the addon is "enabled" in this document, so other collaborators can also see the addon from addon menu, open it and do something with it

On Monday, September 9, 2019 at 1:17:48 PM UTC+7, Andrew Apell wrote:

I'm would like to understand one thing first:

[Andrew Apell]

It is hard to say if this would work (without fully looking at the code) but have you tried getEffectiveUser()

[Hoang Trinh]

I've just tried getEffectiveUser(), and it seems to work actually.

But it still makes me confused. If I use getEffectiveUser(), the script will execute under the role of who?

I did a quick test by putting these 2 lines in the code:

console.log(Session.getEffectiveUser().getEmail())
console.log(Session.getActiveUser().getEmail())

1. For the owner, it logs the email correctly

2. For the collaborator:

getEffectiveUser() logs the email correctly

But getActiveUser() gives me the error in Log Viewer: "The script does not have permission to get the active user's identity."

Do you know why is that? Because for the collaborator email, I still have to open the form, open the addon, and click a button that will call google.script.run.functionName (which calls getActiveUser()). 

So in that case, I think that the collaborator email is a valid Active User

[Andrew Apell]

According to the documentation, getEffectiveUser() "Gets information about the user under whose authority the script is running"

...

getActiveUser() "Gets information about the current user. If security policies do not allow access to the user's identity, User.getEmail() returns a blank string"

Are the collaborators getting prompted to grant permissions?

[Romain Vialard]

Yes, each user of an add-on has to authorize it and the add-on runs with the permissions of the current user, who, in this case, is the effective user.

getActiveUser() is usually used in Apps Script web apps, not add-ons, deployed and running under the permissions of its creator (that way you can create a web app which doesn't ask any permission to end users while being able to identify them, especially inside a G Suite domain).

Within an add-on it should also be possible to use getActiveUser() to answer specific use cases (for example, if you want to track every time someone opened a specific spreadsheet, you could have an add-on for spreadsheets that would create an Installable Trigger which would be able to identify, via getActiveUser() any user belonging to the G Suite domain of the user who set up the add-on inside this spreadsheet).

But in this case, getEffectiveUser() is the appropriate method and will identify the account currently using the add-on.