Reputation: 1
How to use "https://www.googleapis.com/auth/drive.file" to minimize permissions?
I'm trying to use the Advanced Drive Service with the scope "https://www.googleapis.com/auth/drive.file" to minimize permissions. My app only accesses files located on my Webapp Google drive, which are shared with incoming users, no actions are needed against the user's google drive, hence why I'm trying to avoid asking for permission to access all their google files, which is inherent with DriveApp.
appsscript.json
{
"timeZone": "America/Los_Angeles",
"dependencies": {
"enabledAdvancedServices": []
},
"exceptionLogging": "STACKDRIVER",
"runtimeVersion": "V8",
"oauthScopes": [
"https://www.googleapis.com/auth/userinfo.email",
"https://www.googleapis.com/auth/drive.file"
],
"webapp": {
"executeAs": "USER_ACCESSING",
"access": "ANYONE"
}
}
Apps script:
console.log(folderId); // this returns a valid ID
var folder = Drive.Files.get(folderId); // this fails, Drive is not defined
var query = "trashed = false and mimeType != 'application/vnd.google-apps.folder'";
var files = Drive.Files.list({q: query}).items;
I tried republishing after modifying my Json, and I tried clearing my cache, to no avail.
The other articles suggest adding Drive API as a service, but my goal is to stay clear of that API because of the permission authorization it requires. Modifying the script to use DriveApp works flawlessly, but again the permission request is outrageous.
Please advise if I'm on the wrong path here.
Upvotes: 0
Views: 555
Answers (1)
Reputation: 50731
Drive is a advanced Google service and it needs to be enabled to use the api.
DriveApp or Drive cannot be used with scope drive.file. You can however use UrlFetchApp to directly access the api provided, the file accessed
- is first selected using Google picker(google-picker, which needs it's own scopes) or
- is created from this script project
See https://github.com/googleworkspace/apps-script-oauth2/tree/main/samples/NoLibrary for a sample.
- You may also use contextual drive triggers using google-workspace-add-ons
References:
https://developers.google.com/apps-script/guides/dialogs#file-open_dialogs
https://github.com/googleworkspace/apps-script-oauth2/tree/main/samples/NoLibrary
My app only accesses files located on my Webapp Google drive, which are shared with incoming users, no actions are needed against the user's google drive
In that case, you may try publishing the webapp as
- Execute as "me"
Then your users don't need to authorize any scopes. But, if you also need the user's email, you can try the two webapp technique mentioned here.
Upvotes: 0
Related Questions
- What scopes and permissions do I need to be able to get someone to download files from my Google Drive?
- OAuth consent screen not showing for Google
- "Insufficient Permission: Request had insufficient authentication scopes" even with most gerneral scope
- How to fix error "Exception: You do not have permission to call DriveApp.getFiles. Required permissions: "
- Is the https://www.googleapis.com/auth/drive.file enough to create and update files or is the scope /drive needed?
- How do I use the drive.file auth scope in my Gmail addon?
- Ask too many Google Drive permissions when using https://www.googleapis.com/auth/drive