CODEWITHSUNDEEP
google-apigoogle-drive-api
resgh
resgh

Reputation: 984

Google Drive Public File Permissions

Let's say I have a public folder which is not discoverable. If I expose the File ID of one of the files for download, is it possible for an untrusted user to obtain a link to the folder which contains that file, or a link to other files within that folder? I've done a search on the Google APIs but haven't found anything relevant.

Edit: Seems like some of you guys still don't get the question. So let me illustrate with a diagram. Let's say I have a public folder in Google Drive:

Folder A |
         |-- File X
         |-- File Y
         |-- File Z

So the question is, if someone else has the File ID of File X, which I'm fine with, then can he get the File ID of Folder A? Or the File IDs of Files Y and Z? That's where I'm concerned.

Upvotes: 0

Views: 512

Answers (1)

Linda Lawton - DaImTo
Linda Lawton - DaImTo

Reputation: 116958

If you create a file on Google drive it is just that public.

  1. If you share the file with me, then I have access to it.
  2. If i install an application that has access to my google drive account the owner of the app has access to it (Really they ahve access to all my files)
  3. If i give a copy of the link to my friend they can access it.
  4. I can technically also see what directory the file is in. I can then make a request to see what other files may be within this directory. If the directory is public then I have access to that information.

Only the file you set to public will be accessible.

  1. Files within the same directory as a public file will not be public.
  2. The parent directory will not be public just because it contains a public file.

The point with public drive files is anyone can access them without permissions. The only security you have is that Tom on the street cant just do a search and find your file, or can they will it popup in google search someday?

Update file id:

If you expose the file id then i can take the file id and download the file using the API just like you can using a public api key or using the Google APIs explorer. The file is public anyone can download it that has the id. It was also possible in the past to take the file id and use that to create a URL for download directly though the Google Drive website.

https://docs.google.com/spreadsheets/d/{FileID}/edit#gid=0

https://drive.google.com/drive/folders/{FileID}

This does not always work anymore mostly with files that are of type Google doc.

I can also use the file id to see what directory the file is in and request a list of files within that directory.

Example Testing with a given file id

https://www.googleapis.com/drive/v2/files/1AzP6ISIrC8CvK3rTZfNBJ8qZL6LwcaSI?key={my api key}

or just use the try me on this page

Files.Get

Response

{
 "kind": "drive#file",
 "id": "1AzP6ISIrC8CvK3rTZfNBJ8qZL6LwcaSI",
 "etag": "\"G9mQazc6pdRCuGfUPB_oyY074Ug/MTUxNTY5MzM4NjYxNA\"",
 "selfLink": "https://www.googleapis.com/drive/v2/files/1AzP6ISIrC8CvK3rTZfNBJ8qZL6LwcaSI",
 "webContentLink": "https://drive.google.com/uc?id=1AzP6ISIrC8CvK3rTZfNBJ8qZL6LwcaSI&export=download",
 "alternateLink": "https://drive.google.com/file/d/1AzP6ISIrC8CvK3rTZfNBJ8qZL6LwcaSI/view?usp=drivesdk",
 "embedLink": "https://drive.google.com/file/d/1AzP6ISIrC8CvK3rTZfNBJ8qZL6LwcaSI/preview?usp=drivesdk",
 "iconLink": "https://drive-thirdparty.googleusercontent.com/16/type/image/png",
 "thumbnailLink": "https://lh3.googleusercontent.com/_vX1BrFIsR-lVnFR1-VS9tp2toDLNfE6Cf1m3RGEIG7--VQfp53OiNbrnLC_rOGmqUbfn6QHQ7c=s220",
 "title": "splash.png",
 "mimeType": "image/png",
 "labels": {
  "starred": false,
  "hidden": false,
  "trashed": false,
  "restricted": false,
  "viewed": false
 },
 "createdDate": "2018-01-11T09:31:51.426Z",
 "modifiedDate": "2018-01-11T17:56:26.614Z",
 "markedViewedByMeDate": "1970-01-01T00:00:00.000Z",
 "version": "8",
 "parents": [],
 "downloadUrl": "https://doc-0g-6o-docs.googleusercontent.com/docs/securesc/1mngaurn1r7pdnvlih02e6t9l8me2de5/3q2i7ak140vftlc9c96evgvnsmri4m4v/1517565600000/18429462472537742596/06030588225573437243/1AzP6ISIrC8CvK3rTZfNBJ8qZL6LwcaSI?e=download&gd=true",
 "userPermission": {
  "kind": "drive#permission",
  "etag": "\"G9mQazc6pdRCuGfUPB_oyY074Ug/WUHObW5vTApa-BsGvLisiOGqWbA\"",
  "id": "me",
  "selfLink": "https://www.googleapis.com/drive/v2/files/1AzP6ISIrC8CvK3rTZfNBJ8qZL6LwcaSI/permissions/me",
  "role": "reader",
  "type": "user"
 },
 "originalFilename": "splash.png",
 "fileExtension": "png",
 "md5Checksum": "108e62ba72a0b33cb4bc7628e48d2e2c",
 "fileSize": "22375",
 "quotaBytesUsed": "0",
 "ownerNames": [
  "WU JUANG CHEN"
 ],
 "owners": [
  {
   "kind": "drive#user",
   "displayName": "WU JUANG CHEN",
   "isAuthenticatedUser": false,
   "permissionId": "18429462472537742596",
   "emailAddress": "[email protected]"
  }
 ],
 "lastModifyingUserName": "WU JUANG CHEN",
 "lastModifyingUser": {
  "kind": "drive#user",
  "displayName": "WU JUANG CHEN",
  "isAuthenticatedUser": false,
  "permissionId": "18429462472537742596",
  "emailAddress": "[email protected]"
 },
 "capabilities": {
  "canCopy": true,
  "canEdit": false
 },
 "editable": false,
 "copyable": true,
 "writersCanShare": true,
 "shared": true,
 "explicitlyTrashed": false,
 "appDataContents": false,
 "headRevisionId": "0B-l1jDyJ1EfRZERkZnJmcUZxRHlkUzk0bEx6bmhMUzd3WXdrPQ",
 "imageMediaMetadata": {
  "width": 375,
  "height": 812,
  "rotation": 0
 },
 "spaces": [
  "drive"
 ]
}

Analytics

  1. I have your email address "emailAddress": "[email protected]" and name
  2. A view link of the file https://drive.google.com/file/d/1AzP6ISIrC8CvK3rTZfNBJ8qZL6LwcaSI/view?usp=drivesdk as well as a download link for it.

Note: "parents": [], should contain the ID of the parent directory for this file. I am going to assume that its either private or in your root directory. If you say that the directory for this file is public i think its an awesome feature of google not to display this.

Which would mean that the answer is if you have the file id you dont necessarily get access to the folder id.

Upvotes: 1

Related Questions