0

I have two main spreadsheets. The first is like a database, let's call it "A". The second ("B") will be used by the user to view some records from the "A" with importrange. The user can make some changes to the "A" but only with scripts. Also, I want to hide the "A" spreadsheet from the user so that they can't just go directly to the "A" and see whatever data they want.
Is there any way to achive this?

My last attempt:
The user must be an editor to make changes to the "A", so I set spreadsheet sharing option to "anyone in your organization can edit" so that users can edit but cannot see the "A" spreadsheet unless they have a URL. So i wanted to hide the URL from them. I thought that would be enough. The URL is in two places: one in the importrange function, one in the script.
To hide this in importrange, I created third spreadsheet (let's call it "C") which imports the range from the "A" and now the "B" imports range from the "C". I am the only one who has access to the "C" and via my account i have connected "B" with "C" and "C" with "A". So even if user reads the URL from the functon, he can't see exacly what's inside the "C".
To hide a URL a bit in a script, I created an external library with the URL inside. The user can still find it, but it's a little more difficult.
The main problem with all of this was that when the user ran a script that edits "A", the "A" spreadsheet would appear in the "Shared with Me" folder.

Maciek
  • 131
  • 7

1 Answers1

2

Publish a webapp bound from Spreadsheet A:

  • Access: Anyone, even anonymous or Anyone

  • Execute as: Me

  • WebApp scopes: Current spreadsheet only(Add //@OnlyCurrentDoc jsdoc)

  • Functions in script(script1): doPost()

  • POST request from script(say, script2) in SpreadsheetB on behalf of user.

  • If access:Anyone is used, then the script1 needs to be shared with user(view access) and user's drive scope needs to be included in the post request.

  • The above conditions don't apply to Anyone, even anonymous. However at this point, Anyone in the world including bots maybe able to access your spreadsheet. It's upto you to enforce any kind of authorization/security to stop such attacks inside doPost.

  • Another way is just to publish another webapp(script3) with access: anyone and execute as: "User accessing the webapp" => get their email server side => post to script1 webapp. In this case again, if script1 is published with Access:Anyone, even anonymous, You need to take care of authorization between the two webapps.

  • Also note that service accounts can be used. Some service account can be used to just access a Webapp script with Access:Anyone in order to avoid drive scope. Some can be used to access userdata via domain wide delegation.

TheMaster
  • 45,448
  • 6
  • 62
  • 85
  • I finally tested it. It looks like it will work exactly as I wanted. I can even get the email of the user who called the URLfetchApp.fetch() function with Session.getActiveUser().GetEmail() even if the webapp script is running as me. You helped me a lot. – Maciek Sep 02 '20 at 10:49
  • @Maciek Great. They won't be easily possible outside a organization. Since you're using gsuite, you're able to get the email. – TheMaster Sep 02 '20 at 13:03