16

My app uses Google Drive API to read files that a user has uploaded to their Drive storage area, and to write files and folders into this same directory. The user logs in with their own account/credentials.

My current understanding is that the only scope (access level) available for me to use in this case is "full drive access".

Is this a correct statement?

Dropbox supports an "Apps" folder where I can use their API to read/write, while being restricted to my own area. I'm surprised that Google doesn't offer something similar, as my users may not want to grant read/write access to their entire Drive storage, when all I need access to is a single directory (and all sub directories within, whether I create or user creates).

To provide a little more info, my app is a flashcard app. I want users, at a minimum, to be able to upload spreadsheets with data to be read in by the app. But users would like it if I didn't need full access to all their data.

Ernie Thomason
  • 1,579
  • 17
  • 20
  • 1
    Although I'm not sure whether this is useful for your situation, If you want to make users access to only the files created by your application, how about this? [The official document](https://developers.google.com/identity/protocols/googlescopes#drivev3) says that for the scope of ``https://www.googleapis.com/auth/drive.file``, ``View and manage Google Drive files and folders that you have opened or created with this app``. If this was not useful for your situation, I apologize. – Tanaike Apr 16 '19 at 07:28
  • 1
    Thanks Tanaike . Yeah, I'm aware of this scope, but I need to be able to read files that users have uploaded outside of the app (which this scope doesn't support). Because I want to read user create files, it seems user/Drive must grant me full access to their entire library. – Ernie Thomason Apr 16 '19 at 14:55
  • 1
    Thank you for replying. I apologize my comment was not useful for your situation. If my understanding for your situation is correct, for example, when the file is uploaded to user's google drive, how about sharing the file to your account or service account? By this, only the file can be accessed. If I misunderstand your situation, I apologize. – Tanaike Apr 16 '19 at 22:29
  • That might work for transferring a single file. Having them enter another account name to share with seems clunky, and getting hundreds/thousands of shares and finding their files with API all seems troublesome. One user wondered if they could paste a shared link into my app. While that works outside of an API with a personal account, I don't know how that works from an API perspective. While this kind of approach could maybe potentially work, it's not path I want to consider at this time. I'm more interested in straight API access from a single user account. – Ernie Thomason Apr 17 '19 at 11:27
  • I apologize that my comments were not useful for your situation. Can I ask you about ``I'm more interested in straight API access from a single user account.``? Do you want to make access users to user's Google Drive using each account? Or do you want to make access users to user's Google Drive using only one account? – Tanaike Apr 17 '19 at 11:53
  • Hi Tanaike. The "single user account" is the user's own personal account. I don't want to have a service account. So the user will log in with their own credentials. At this point I have access to ALL their files on Drive. The original question was, at this point can the app import a file that they uploaded to Drive, without having to have full Drive access. – Ernie Thomason Apr 19 '19 at 13:39
  • I apologize that my comments were not useful for your situation. This is due to my poor experiences. I apologize again. – Tanaike Apr 20 '19 at 02:34
  • I don't understand what's wrong with `auth/drive.file` as @tanike suggested. Your app could create the folder. Then anything created in it you should have access to correct? – Jerinaw May 07 '22 at 05:23
  • Jerinaw, 'drive.file' only gives you permission to files that your app has created or the user has explicitly shared with your app. They "share" a file by selecting from a Google file picker, or sending to the app. This is what Google recommends you try first. But in my case, I want to be able to see all files the user puts in a certain directory, and say they put 100 media files for my app to read, it's not practical for the user to manually choose each of the 100 files. But many apps can get away with "drive.file" I think. (I wonder if user can select a *directory* instead of a file?) – Ernie Thomason May 07 '22 at 17:17

2 Answers2

7

I think the simple answer is... Google Drive doesn't have an "Apps" directory like Dropbox or OneDrive, and if an app want access to files the user uploaded to Drive, the basic way is for the user to grant access to ALL files in Drive.

The "drive.file" scope might work for some since it appears to give access to individual files that the user OK'd. How does the user OK a file? According to the post below, they would send a file from the Drive app to my app.

Google Drive api scope and file access (drive vs drive.files)

I think these are the only two permission options to read user's files using the Drive API (without using a service account).

Ernie Thomason
  • 1,579
  • 17
  • 20
  • 2
    To OK a file, you can also have the user pick the file from your app via google.picker (https://developers.google.com/picker). – user2191332 Mar 08 '20 at 00:01
0

There is the Application Data folder for this purpose.

To limit an app's access to its folder only, you can set

const SCOPES = "https://www.googleapis.com/auth/drive.appfolder"

Read more here: https://developers.google.com/drive/api/v2/about-auth

lehoang
  • 3,577
  • 1
  • 15
  • 16
  • 10
    The problem I see is that this is only for app storing its own data, not for a user to post a file to so the app can read. From docs: "This folder is only accessible by your application and its contents are hidden from the user and from other Drive apps." – Ernie Thomason Nov 21 '19 at 12:10