0

I have a "master" spreadsheet, where I make frequent updates with new features, and then create a "public" copy of it, that ANYONE can EDIT, as there are "user-defined" parameters (via dropdown lists) they can set in it.

BUT, I don't want them to have any access to the attached script, as I'm concerned they could write some malicious script and run it to access my Drive folders, permissions, etc etc.

Been reading up a lot on this, as a newbie, but as far as I understand this is not possible - so I'd have to "trust" users not to get up to any mischief.

Have I missed a way to do this - or is there a work-around? MTIA

maxhugen
  • 1,870
  • 4
  • 22
  • 44
  • 1
    As you call yourself "a newbie" don't share with anyone with the link to edit your spreashsheet with a bounded script. If you want to stop being a newbie and need help to understand how the script authorization works please add more details about what you have reading and what your "attached script" does. – Rubén Nov 09 '20 at 18:54
  • 1
    Related [How to protect the Apps Script code in a Google spreadsheet?](https://stackoverflow.com/q/16075446/1595451) – Rubén Nov 09 '20 at 19:02
  • Is it essential that the users input is shared by everyone, including yourself? Could the users make a copy of your spreadsheet, and add their input to their copy? If you need to have a consolidated view, your master (which they can view but not edit) could pull together the input from all the copies, if the users provide you the sheet name of their personal copy. This may sound complicated, but it is another design approach that might be applicable in your case... Or have the users submit input via a form, that you consolidate into one sheet that all can view...? – kirkg13 Nov 09 '20 at 20:00
  • Perhaps I should have explained the context of this ss better. I'm a member of a forum dedicated to the next America's Cup yacht race. As the yacht is a new concept, a 75' foiling monohull, many of us try to work out how the boat operates, including technical stuff. – maxhugen Nov 10 '20 at 01:44
  • The ss attempts to derive some factors, such as Boat Speed, Forces on sails etc, by allowing a user to set some params on the sheet. There is no sensitive or private info in this ss. I would make the ss available to anyone that's interested in this esoteric topic, and when I provide the link, I'd suggest to them that they save their own copy, so that they know what's changed, and to keep their settings (I save these to the script "Properties). – maxhugen Nov 10 '20 at 01:52
  • As I'm struggling to *fully understand the security setup, my only concern is that use*rs don't have access to my Drive folder and any files in there, by writing some code in the existing script etc. The copy of the ss is in a folder I called "public". Thanks for your responses. – maxhugen Nov 10 '20 at 01:55
  • PS: Thanks @Ruben, I'm reading the link you provided, and will study the "publish" option it mentions. – maxhugen Nov 10 '20 at 01:58
  • 1
    @maxhugen Sharing a spreadsheet including **a basic** script will not give access to your Drive files/folders to anyone but any editor could edit the script and there is a risk that someone modify the script to send emails using your account, to share your folders/files or event to create triggers the next time that **you** run the script. Maybe publishing and add-on is too much work and it could be better to use an standalone script or put your script in another spreadsheet – Rubén Nov 10 '20 at 02:12
  • Thanks again Ruben. Yes, publishing seems beyond what I need - and probably my abilities. I've just read about "Running a standalone script" but it doesn't say how functions would be called from the "public" ss. Nor how I'd call a function from another ss, like maybe my "master" copy. Need to do some more Googling to find the info I need, I think. – maxhugen Nov 10 '20 at 06:13
  • Are you concerned that they will have access to the script you've written, or that they will have access to any script bound to the "public" copy, even if it's empty? If it's the former, I think using a standalone script could be useful. In this case, would you consider providing the code related to your script? Also, I assume this script is bound to your template spreadsheet? – Iamblichus Nov 10 '20 at 09:44
  • I'm not concerned if users can view the code, there's nothing sensitive or critical in there. But from what I've read, and as @Ruben pointed out above, there IS a risk that "someone could modify the script to send emails using [my] account, to share [my] folders/files or event to create triggers the next time that [I] run the script." Hard to believe Google have such an awkward, unfriendly and immature security system for their Scripts! (IMO as an ex=programmer) – maxhugen Nov 10 '20 at 21:57
  • They need your authorization, or to impersonate you with a service account which has been granted domain-wide authority, in order to access data you have not shared with them. I don't know how they would modify your code in order to access that. But in order to clarify that, it would be useful if you could provide your current code. – Iamblichus Nov 12 '20 at 10:28

0 Answers0