document creation using google APIs in python - python-3.x

Is is possible to give google service-account's access to whole drive instead of just folders?
I'm unable to switch to a new directory using google docs API in python. It was possible to jump into a folder and then create the document there using google drive APIs but I want to use docs API only and I can't see any way to jump into another folder.

Is is possible to give google service-account's access to whole drive instead of just folders?
If you have a Workspace domain, I'd suggest granting domain-wide authority to the service account in order to impersonate the regular user's My Drive and access everything they can access. See Delegating domain-wide authority to the service account for more details about how to accomplish this.
If this is not an option for you, you should share all top-level items on the Drive, since there's no direct method to share the full My Drive.
It was possible to jump into a folder and then create the document there using google drive APIs but I want to use docs API only and I can't see any way to jump into another folder.
You need to use Drive API to move files between folders. Docs API cannot be used for that.
Sidenote:
Not sure if you're aware of this, but please notice that, if you create a document via Docs API, you can only create a blank document, since all fields apart from title are ignored in this method (see documents.create). If you want to add text, change other properties, etc., you'll have to use documents.batchUpdate.
I'm mentioning this since I don't know whether that was the reason you wanted to create the document via Docs API.

Related

Can spreadsheet users access google app script properties?

I have a google apps script that has an API key set as a property (getScriptProperties()). The script is attached to a spreadsheet. Will users of the spreadsheet conceivably have access to the API key? Would this be different if said property were contained in a library the script invoked?
Will users of the spreadsheet conceivably have access to the API key?
Yes, if stored in Script/Document properties. User properties are also accessible, if the user has installed a trigger.
Would this be different if said property were contained in a library the script invoked?
Kind of. As written in resource scoping, Script properties are not shared, i.e., library has it's own instance of script properties. Although it's not shared automatically, you should be careful not to code in such a way to give access to the end users(i.e., The actual fetch should happen in the library. Secrets should never reach user code). It may still be possible to access the tokens through debugger, overriding methods(see link below). User properties are shared.
Related:
Securely Storing API Secrets used in Google Apps Script - Published Library
What is the appropriate way to manage API secrets within a Google Apps script?

If a google doc/sheet is made public, how easily can other people find the URL?

Is it easy for people to find "public" google sheets/docs?
Context: Storing some semi-sensitive data (individual user info, of non-sensitive nature) for an app beta-test in google sheets. Planning to migrate to some DB in the future, but for now, just using JavaScript to pull the data directly from the google sheets (since there are visualizations being dynamically updated by the sheets).
Yes, it's easy to get information. Search engines may index and cache the information. Then, there are bots, crawlers and scrapers. Do NOT put (semi)sensitive information in public. Implement google-oauth properly with google-sheets-api to get information. You can also use service-accounts
Yes, it can be easily accessed.
According to the official Google article Share files from Google Drive: when you set your file's General Access setting to public:
Anyone can search on Google and get access to your file, without signing in to their Google account.
What you can do:
In the case of your app beta-test in google sheets data, you may want to reconsider to change your file's General Access setting to one of the following (in descending order of security):
Restricted - Only people that you manually give access to can view or edit your files. When you click the share button, a prompt will show and you may manually add the users who can view or edit your files:
Afterwards, you may select a role for those users and then they can be notified afterwards through email.
On the other hand, you can share the link to others. A prompt will show like the one below if you send the url through Google Chat:
You may opt to select Don't give access which will result in the following view on the other user's end:
This would mean that if unauthorized users get hold of the file URL, they will still need to send an access request. If other users submit the request, an email notification will be sent to your mail inbox. Other users who also own the file will also be notified by mail.
Your Organization - If you use a Google Account through work or school, anyone signed in to an account in your organization can open the file. If you are an administrator in a work or school workspace, you may set how members can share content within the organization. The administrator can prevent the sharing of content with group members outside your organization. If external sharing is prohibited, only group members who are in your organization can access the group's shared content.
Anyone with the link - Anyone who has the link can use your file, without signing in to their Google Account. This option is least recommended because if the URL is leaked to unauthorized users, they can easily access the file.
References:
Share files from Google Drive
Share content with a group
Don’t make it public unless you want the public to see it. Use oauth to access.

Is it safe to put in secrets inside Google App Script code?

I'm creating a Google Workspace Add-On and need to make some requests using OAuth. They provide a guide here explaining how to do so. In the sample code, it's suggested that the OAuth client secret be inline:
function getOAuthService() {
return OAuth2.createService('SERVICE_NAME')
.setAuthorizationBaseUrl('SERVICE_AUTH_URL')
.setTokenUrl('SERVICE_AUTH_TOKEN_URL')
.setClientId('CLIENT_ID')
.setClientSecret('CLIENT_SECRET')
.setScope('SERVICE_SCOPE_REQUESTS')
.setCallbackFunction('authCallback')
.setCache(CacheService.getUserCache())
.setPropertyStore(PropertiesService.getUserProperties());
}
Is this safe for me to do?
I don't know how Google App Script is architected so I don't have details on where and how the code is being run.
Most likely it is safe since the script is only accessible to the script owner and Workspace Admins if it is for Google workspace (which may or may not be an issue).
Well, you can add some security/safety by making use of a container, by using Container-bound script which makes use of Google Spreadsheet, Google Doc or any other that allows user interaction. Or a standalone script but also makes use of other way to connect to UI for interaction. Refer to this link for more detailed explanation on that: What is the appropriate way to manage API secrets within a Google Apps script?
Otherwise, the only way I see that you can do is store the keys and secrets in User Properties. Here's how you can do it: Storing API Keys and secrets in Google AppScript user property
Also you can refer to this link below for more general information on how you can manage or add some security: https://softwareengineering.stackexchange.com/questions/205606/strategy-for-keeping-secret-info-such-as-api-keys-out-of-source-control

Share files with between group of user using Microsoft Live sdk

I am developing an application that requires to share files between users using Microsoft Live sdk. But only resource that I came across is by providing a shared link or embed link which expires after some time and are open to public usage. Instead, I want to share files among only certain group of one drive users and that too, permanently. This functionality is already present in one drive itself. Is there any way of doing it using one drive api ?
UPDATE: google drive api supports these.
The OneDrive API support the creation of sharing links, which would be easy to send to the group that you want to give access to a specific file or folder. These links do not expire, however they can be revoked.
Here is an example of the kind of request you can use to create one of these links
POST https://api.onedrive.com/v1.0/drive/items/{item-id}/action.createLink
Content-Type: application/json
{
"type": "view"
}

How to upload xlsx files to my own google drive, then convert them to google spreadsheet and get the shareable link programmatically?

I'm working on a node.js server. I want to upload and convert .xlsx files to google spreadsheet in my own google drive and then get the shareable link programmatically.
However, I found google drive api is specialized for building app for other users to access their drives to do something on your app but not for accessing your own drive programmatically. Do I understand this correctly?
I have read a lot of documents on google developers and some tutorial about this but I cannot find the way to what I want. Is there any way to do what I want? Could you give me some guidelines?
You have misunderstood.
Drive uses oauth2 to handle the identification and authorisation of the target Drive account. Specifically, the Access Token "contains" (conceptually, not literally) the Id of the Drive account.
All of the published examples show how to obtain an access token for a third party user because that is the more common and more complex use case. Obtaining an access token for your own account is much easier.
See
How do I authorise an app (web or installed) without user intervention? (canonical ?)

Resources