I inserted a google apps script as a gadget in a google Site. This GAS implements a page on html service and is intended to capture user data and store it in the ScriptDb of another script. Playing around, I noticed that viewing the source code of the google site any user could access directly to the GAS via an url displayed on the source of the Google site. I followed this link, and there was the GAS! From this link, I tried to save new data to ScriptDb, and I found that fortunately this was not possible. Doesn't this behaviour represent a security issue? Can I be sure that It is not possible to modify the ScriptDb data from this embedded link?
0
votes
1 Answers
0
votes
The ScritpDb your script creates can only be accessed accessed by that script's code - just because you have the URL to the published script or even if you have code in some form DOES NOT give you access to the ScriptDb.
However, lets say if in your doGet if you are blindly dumping out all the data to HTML output if a certain predictable parameter is passed in, then that is bad. But that would be considered a programming error.
So in short - if your ScriptDb is properly wrapped with the appropriate Apps Script, then access to that ScriptDb is secure.
I can clarify more if you share some code around what you worry might be insecure.
