We are looking to create a project for access to a specific folder with Read only permission.
My question is when creating the project what ways are there to limit access and permission in the project itself?
Can this be done? and is it through the enable APIs. I have done some reading on this and I cannot find a conclusive answer.
What APIs would I need enabled to apply this.
I will not be in control of any scripts, this will be a project for web application.
The scenario of what we have is Many thousands of files with in google drive, we want to give access to a specific folder and not have the ability to go through the rest of our google drive. They will be using Javascript to download files from this and upload automatically in to a system at there end, they are looking to use the Google drive API to do this.
Look forward to your replys opinions and direction on this.
Many thanks
you cannot do this at the project console level. you are missing info like how the webapp authenticates the user or whether the drive api calls are server side or client side. but in either case what you need is to never use the drive owner account and simply share that folder readonly public or to specific emails.
for a more detailed answer you need to explain much better the scenario.
Related
I'm going to make a project using the Google translate api and I'm thinking of uploading this project to a server and just sharing it with my friends. But unfortunately the Api Key that I will use in the project can be accessed clearly in the JavaScript file. This is a very bad situation. To prevent this, I have limited the Google Cloud Api and as far as I understand it is only allowed to be used on the links I allow. It cannot be used on other links. Now my main question is, is this method enough to protect Api from malicious people? Do I need to do anything else? Thank you in advance for your answers.
Best practice in these cases is to use .env files to keep data like API keys private.
You have to create a server for that which will perform OAuth and then send an API request to google.
You can get help about how to implement OAuth from this topic provided by google: https://developers.google.com/identity/protocols/oauth2/javascript-implicit-flow
If you send/attach your API key in frontend like javascript which is basically a frontend language then it can be used to:
Send fake requests which will use all of the bandwidth etc.
You should also consult the TOS.
On November 5th 2014 Google made some changes to the APIs terms of Service.
Like you I had an issue with the following line.
Asking developers to make reasonable efforts to keep their private
keys private and not embed them in open source projects.
That is however really only an issue if you are releasing the source code of your app as an Open source project for example.
If your just hosting this on a server then what you shoudl do is set up limitations for the api key adding_application_restrictions you can limit it so that the api key can only be used from your server and no where else.
I have a Google Spreadsheet file and a JavaScript application, hosted using Google Firebase free plan – if that changes anything. I would like to grant my application a read/write permission to the file so that when a user, posts something using my app, it will be written to the SpreadSheet as a new line. I thought that should be a simple scenario but…
While I got the read part running, using the API_KEY, the writing part seems to require OAuth authentication - even if the file itself is 100% public…
In my scenario the application itself should be the one, authenticating to the Sheet API - not the user of that application.
So, is there any way around this? Or to somehow log-in using OAuth on the application level?
Please note: I know I could use Firebase here, but let’s just assume that for now, it is not an option.
My final solution was to use Google Apps Script instead of Google Sheets API, as described here:
https://stackoverflow.com/a/49459945/2384366
After publishing the scrip with the ‘Who has access to the app’ = ‘Anyone, even anonymous’ – I was able to use the doPost function to do exactly what I wanted.
Perhaps it’s not the best solutions – but it works (and frankly, gives us much more control).
I'm a teacher. My grade book is a .xlsm file, located in my Google Drive folder. I'm building a web app, also in my Drive folder, that shows the students names arranged according to the seating chart. I want to run the app on my Android phone, and click a student's name to add a participation mark to the grade book. The app should also display the students' existing participation scores (from the grade book). What is the best way to go about accomplishing something like this?
*I initially tried to do this using another .xlsm file but, when I realized that macros don't run on the Android version of Excel, I switched to an HTML-based app. Was that the right decision?
Here is a sample .xlsm file. In this case, the app would check cell A2 to make sure it's the correct student and then both read and write to cell B2.
If Excel isn’t doing it for you on Android then I’d strongly suggest looking in to Google Sheets. Creating an app for this yourself would be a fun project, if you enjoy that sort of thing, but Google Sheets sounds like it might do the job and you can be up and running in a few minutes.
Having got that out of the way I think it would be best to clear up how web apps work, it sounds like you have some confusion about how they work (or I am from your question!).
A web app is typically made up of two parts, a client and a server.
The client requests resources from the server and the server responds. For example, the client requests the resource associated with example.com, the server is listening for this request and fulfils it by returning a string of text with some meta saying its html. The client (lets say its a browser) understands this is html and begins to parse and render it. If it hits <link> or <script> (or some other stuff) it knows to go and request more resources from a server.
The client is totally detached from the server, it has limited access to the file system and must perform tasks by asking the server to do them. It can only ask, not enforce.
Often there is a 3rd piece which is storage of some sort, this could be a file system somewhere or a database. The client is also detached from this and the server (or another service) owns and manages the storage. In your case Google Drive can act as your storage.
A web client has no direct access to your Google Drive, although if its contents is public there is likely a scheme for you to get a resource (I don't know how Google Drive works but this is fairly likely). I'm not sure it will let you write to the Drive though, not without additional permissions (granted through authentication) being acquired. Many popular frameworks and libraries will allow you to interface with Google Drive and handle the auth handshake etc etc, they are often called a driver or connector.
Very basically, you'd likely need a couple of parts:
Storage -> Connector -> Service -> Client
You can get away with putting connector and service together, and you might be able to get away with connecting direct from the client, which would save you the trouble of creating, hosting and running a service.
The last piece of the puzzle is the conversion you must do from the .xls data into something JS on the client can work with (again, there are often multiple ways of doing things, you might decide to render your page on the server).
There are many tools out there that can convert from .xls to json, which JS can then parse and use (on client or server). I have used one a couple of times but I can't remember which one right now, a quick npm search throws up a number of hits.
Your best option is not to use Google Drive at all. If you are interested in doing something like you described, I would strongly recommend using either PHP and MySQL (a popular combination) or Google Cloud Platform's App Engine (they provide a lot of help, even allowing you to easily build an app that you can sign in to from your Android device with your Google account). If you're more in the mood for Do-It-Yourself, I would probably recommend Spring Boot (These tutorials look pretty good)
When it comes to integrating with Google Drive, it is technically possible to do, but so difficult that you would be much better off writing your own system from scratch and perhaps exporting to an Excel file. (See this page for a tutorial on exporting to Excel from Java)
You have several concerns with the final solution for your problem:
Security (You don't want students breaking into it, like I probably would have done)
Accessibility (You want to get at the information on your phone and your computer)
If I was in your position, I would probably write a Spring Boot application (which can house it's own database, website and API for a computer/phone to communicate with) and an Android application that talks to it.
Also, it would be helpful to know what programming languages and/or libraries/frameworks you have used in the past in order to make better recommendations for your situation. What have you used in the past?
If you need help or have questions, just message or comment.
I am new to google api. I am able to do this file upload from app script and any file which is uploaded through that script get stored to my drive only.
But how to do this using javascript.
Example on google : https://developers.google.com/drive/web/quickstart/quickstart-js
shows how to do this but file gets uploaded to the same user's drive who is authorizing the app. How to restrict it to my drive only.
Thanks
Simple answer is you cant with JavaScript. The reason being is that JavaScript works with OAuth2 this requires that you ask the user permission to access your data.
If you want to have it access your drive account you would have to save the refreshtoken some place and then send that when ever the script was loaded. JavaScript is client sided so anyone that checked the code on the page would then have all the information they needed to do what ever they wanted with your drive account. Security wise that's a bad idea.
I recommend you look into using a server sided scripting language like PHP. You might want to consider a service account. Note: everything will be owned by the service account so you will either have to give the Service account access to your Google Drive files or you will need to move your drive files to the Service account.
If you don't want the service account to have the files you could go with normal Oauth2 save the refresh token and then store it in the server sided code there wont be as much of security risk there.
http://www.s3fm.com/ is really useful for uploading/viewing files for personal viewing.
I was wondering if there was something good for social networks (using Amazon s3 or something similar),
where it will only show the subset of files uploaded by a specific user (for example, limit access to the user's specific bucket).
Can s3fm be adapted to this solution? or is there something else out there?
Chris, thanks for bringing this up.
Next version of S3fm will allow just that: sharing files and "folders" with your friends and colleagues using your own S3 account. A bucket owner will be able to use his or her credentials to create new (non-AWS) "accounts" and assign different permissions for each user. Then s/he will be able to select files to share or "folders" for uploads for each of those users.
A secure authentication method has been developed on top of regular Amazon S3 API so no 3rd party service will be required for that purpose. In fact, your newly created account credentials are not even accessible to anyone but you and you users . On the flip side, if you loose them - they are gone, we wont be able to restore them. :)
This version was expected this coming Fri (Aug 9, 2009), but apparently will be delayed another week or so.
Happy to help, feel free to follow up with questions or ideas,
I believe you would need to build your own system to do this. What you use doesn't really matter, you could use S3, Azure, etc as your base storage "cloud."
There is no method of authentication on S3, it only serves files publicly. You can of course obfuscate the file names by naming them with hashes. But still only a fileserver. Maybe roll your own system?
Then make it public so I can use it... it would be awesome!