We are using google drive api with node js to grant permission for user scope, it is working fine for any folder in drive with below scope
drive.permissions.create({
fileId: mysiteUrl,
sendNotificationEmail: false,
resource: {
role: 'reader',
type: 'user',
emailAddress: EmailIdofUser,
}
}, (error, permissionResponse) => {
if (error) {
console.log(error);
} else {
res.send("drive access granted");
}
});
When we use new google sites to provide the access, it gives an error "Sorry, an item is restricted in sharing.".
Can you please guide what should be correct scope file?
Regards,
Anubhav.
Related
I am using google sheets api as well as google drive api (node js) and I have created google sheet by using service account and shared with one email "xyz#gmail.com" with role of 'reader'. but now after 5 minutes, I want to remove the access from "xyz#gmail.com", so that it must not be accessible to 'xyz#gmail.com".
Note: the owner of google sheet is service account.
Below is the snippet of code.
const auth = new google.auth.GoogleAuth({
keyFile: "private_keys.json", //the key file
//url to spreadsheets API
scopes: ["https://www.googleapis.com/auth/spreadsheets",
"https://www.googleapis.com/auth/drive"],
});
var body = {
'type': 'user',
'role': 'reader',
'emailAddress': 'xyz#gmail.com',
};
var drive=google.drive({version: 'v3',auth});
drive.permissions.create({
'fileId': spId, //sheetID returned from create sheet response
'resource': body,
}, function(err, response) {if (err) {
console.error('error-------', err);
return;
} else{
console.log(JSON.parse(JSON.stringify(response))) ;
}
});
I believe your goal is as follows.
You want to delete the permission of xyz#gmail.com from a file using googleapis for Node.js.
In this case, how about the following sample script?
Sample script:
const spId = "###"; // Please set the file ID.
const email = "xyz#gmail.com"; // Please set the email address you want to delete the permission.
drive.permissions.list(
{ fileId: spId, fields: "permissions(emailAddress,id)" },
function (err, response) {
if (err) {
console.error("error-------", err);
return;
} else {
var permission = response.data.permissions.find(({ emailAddress }) => emailAddress == email);
if (permission) {
drive.permissions.delete({ fileId: spId, permissionId: permission.id },
function (err, response) {
if (err) {
console.error("error-------", err);
return;
} else {
console.log(JSON.parse(JSON.stringify(response)));
}
});
}
}
});
When this script is run, the permission ID is searched using the email address. And, when the permission is found, the permission is deleted.
References:
Permissions: list
Permissions: delete
Goal
Assign a role dialogflow.admin to a service account I created for a project using the Node.js Client library for Google APIs.
Issue
When I try to update my service accounts IAM Policy and add a role to the service account. I get an error that the role is not supported for this resource type.
I am trying to give my service account the Dialogflow API Admin Role roles/dialogflow.admin
The method in the Node.js client library I am using is iam.projects.serviceAccounts.setIamPolicy.
I have already managed to create the service account with this Node.js client library with a function shown here.
async function createServiceAccount(projectID, serviceAccountID){
const authClient = await auth.getClient();
var request = {
name: "projects/"+projectID,
resource: {
"accountId": serviceAccountID,
"serviceAccount": {
"description" : "Service Account for project: "+projectID+" for DialogFlow authentication with VA",
"displayName": "VA Dialogflow Service Account "+projectID
}
},
auth: authClient,
};
await iam.projects.serviceAccounts.create(request, function(err, response) {
if (err) {
console.error(err);
return;
}
console.log(JSON.stringify(response, null, 2));
});
}
after this function runs, and I am sure the service account is created, I run my function that is meant to set the roles of this service account.
async function setServiceAccountRoles(projectID, serviceAccountID){
const authClient = await auth.getClient();
var request = {
resource_: "projects/"+projectID+"/serviceAccounts/"+serviceAccountID,
resource: {
policy: {
bindings: [
{
// role: "projects/"+projectID+"roles/dialogflow.admin",
role: "roles/dialogflow.admin",
"members": [
"serviceAccount:"+serviceAccountID
]
}
],
version: 1
}
},
auth: authClient,
};
await iam.projects.serviceAccounts.setIamPolicy(request, function(err, response) {
if (err) {
console.error(err);
return;
}
console.log(JSON.stringify(response, null, 2));
});
}
Error
When I run this function I am give this error:
code: 400,
errors: [
{
message: 'Role roles/dialogflow.admin is not supported for this resource.',
domain: 'global',
reason: 'badRequest'
}
]
I have used these following resources to get this far:
https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts/setIamPolicy
https://cloud.google.com/iam/docs/reference/rest/v1/Policy
https://cloud.google.com/iam/docs/granting-changing-revoking-access#granting_access_to_a_service_account_for_a_resource
Alternative methods.
I have tried changing the role to a project specific path like this:
async function setServiceAccountRoles(projectID, serviceAccountID){
const authClient = await auth.getClient();
var request = {
resource_: "projects/"+projectID+"/serviceAccounts/"+serviceAccountID,
resource: {
policy: {
bindings: [
{
role: "projects/"+projectID+"roles/dialogflow.admin",
"members": [
"serviceAccount:"+serviceAccountID
]
}
],
version: 1
}
},
auth: authClient,
};
await iam.projects.serviceAccounts.setIamPolicy(request, function(err, response) {
if (err) {
console.error(err);
return;
}
console.log(JSON.stringify(response, null, 2));
});
}
however, with this I get the error : message: "Role (projects/va-9986d601/roles/dialogflow.admin) does not exist in the resource's hierarchy.",
Is it possible that the only way to update my service account's roles and permission is through the console or gcloud commands? If so, is there any recommended ways of running said gcloud commands through the node.js client library or from a node application itself?
You are trying to set an IAM policy on the service account. That is used to grant other identities access to the service account itself.
You should modify the IAM binding for the project and not for the service account.
Use the getIamPolicy and setIamPolicy. Examples are included with the documentation.
WARNING: be very careful writing code that modifies a project's bindings. If you overwrite the bindings you can easily lock yourself out of your project. Then you would need to open a paid support ticket with Google Cloud Support. Practice with a throw away project.
I've created Connected Accounts using Stripe Connect. The account is created, however, it is restricted due to:
INFORMATION NEEDED
Identity document
Owner's additional document
After messing around, I realised if I just go back and mess around with the settings I am then prompted to verify the account. Is there a way in which I can always demand verification when users sign up? I've looked at the documents, but they have not been much help to me.
This is my code:
exports.createConnectAccount = functions.https.onRequest((req, res) => {
var data = req.body
var email = data.email
var response = {}
stripe.accounts.create(
{
object: 'account',
type: 'express',
country: 'GB',
business_type: 'individual',
email: email,
capabilities: {
card_payments: {
requested: true,
},
transfers: {
requested: true,
},
},
},
function(err, account) {
if (err) {
console.log("Couldn't create stripe account: " + err)
return res.send(err)
}
console.log("ACCOUNT: " + account.id)
response.body = {success: account.id}
return res.send(response)
return admin.firestore().collection('vendors').doc(user.uid).set({account_id: account.id});
}
);
});
Your code specifically creates Express accounts with the card_payments and transfers capabilities. In order for those capabilities to be active you'd need your user to provide additional information.
You can use the Account Links API to redirect your users to a Stripe hosted onboarding form which will collect all of this for you.
Im trying to connect my nodejs application to update/read list items from https://xyz.sharepoint.com/sites/dev/_api/web/lists/GetByTitle('listname').
Using sharepoint addin authentication where app was registered onto xyz.sharepoint.com registration page.
with manifest file permission set for the app set to fullcontrol:
<AppPermissionRequests AllowAppOnlyPolicy="true">
<AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web" Right="FullControl"/>
</AppPermissionRequests>
Following code is being used:
var sprequest=require('sp-request')
let spr = sprequest.create({
clientId:'clientid',
clientSecret:'client secret'
});
spr.requestDigest('https://xyz.sharepoint.com/sites/dev')
.then(digest => {
return spr.post('https://xyz.sharepoint.com/sites/dev/_api/web/lists/GetByTitle(\'listname\')', {
body: {
'__metadata': { 'type': 'SP.List' },
'Title': 'TesList'
},
headers: {
'X-RequestDigest': digest,
'X-HTTP-Method': 'MERGE',
'IF-MATCH': '*'
}
});
})
.then(response => {
if (response.statusCode === 204) {
console.log('List title updated!');
}
}, err => {
if (err.statusCode === 404) {
console.log('List not found!');
} else {
console.log(err);
}
});
I was able to get the authentication token but the POST request to the sharepoint online api(spr.post part in code)fails with 403:forbidden error.("Access denied. You do not have permission to perform this action or access this resource.")
I also tried with postman and always end up with the same error.
I dont understand whats goin on anymore,could anyone help is it related to scope of the app? some issue in the manifest file?
App registration done in sharepoint online site as mentioned in the article-https://medium.com/#anoopt/accessing-sharepoint-data-using-postman-sharepoint-rest-api-76b70630bcbf
Reading the list also failed with same error via code and postman.
I adapted code from the Google Drive API Quickstart for Node.js found here to try and create a new permission on an existing file in Google Drive.
No matter what I change in the code, I always get the same response saying The permission type field is required even though I've specified it via resource as mentioned in documentation for the npm googleapis client library and other examples I've found.
Is this just not working or am I missing something obvious?
Code to update permission
function updateFilePermissions(auth) {
var drive = google.drive({
version: 'v3',
auth: auth
});
var resourceContents = {
role: 'writer',
type: 'user',
emailAddress: 'user#example.com'
};
drive.permissions.create({
resource: resourceContents,
fileId: aValidFileId,
sendNotificationEmail: false,
fields: 'id',
}, function(err, res) {
if (err) {
// Handle error...
console.error(err);
} else {
console.log('Permission ID: ', res.id);
}
});
}
Response from Google Drive API
code: 400,
errors:
[ { domain: 'global',
reason: 'required',
message: 'The permission type field is required.',
locationType: 'other',
location: 'permission.type' } ]
To anyone that's still looking at the answer, it needs to be formatted like this:
{
fileId: fieldID, // String
resource: {
role: putRoleHere, //String
type: putTypeHere //String
}
Google's APIs are using Axios for the HTTP client so it will be auto-stringified for you when using their methods :)
It seems like the sample code for this API produced by the docs is invalid. By analyzing outgoing requests in the devtools Network and a bit of guessing I found out that the resource fields must be placed in the root level alongside the fileId.
response = await gapi.client.drive.permissions.create({
fileId: "18TnwcUzeBGCHpr7UWW-tKjf2H2RKOKx2V2vaQiHR-TA",
emailMessage: "huj sosi",
sendNotificationEmail: false,
role: 'writer',
type: 'user',
emailAddress: 'user#example.com',
})
Considering that docs don't encourage using a specific version of the library, I suppose there was just a random breaking change in it at some point causing the inconsistency in the docs.