How to run a Google Apps Script in a read-only spreadsheet?

1
votes

I'm new to the world of Google Apps Script, and I found myself faced with a problem. I've created a script that runs as an onOpen() trigger, but if the spreadsheet file is read-only, this script does not run. I read that, being read-only, it is not able to run it. Is there a way to remedy this problem?

I gave the permissions in edit, blocking all the cells from scripts. I wish people can not see the script, as this allows them to re-run the script and take "power" on the sheet. If I create an API can I keep the sheet read-only?

Any suggestions?

1
google-apps-scriptgoogle-sheetstriggers
Read only = no scripts execute. The rest of what you say is unclear and probably too broad to be answerabletehhowch
Thank you for your answer. At this point, I would like to know if, by creating an API, I can only give permission to read, allowing the execution of the code contained in the API. Thank youJoeJoe
"create an API" means what? Where will you write it? How will you execute it? Of course if you write your own application and make you users use it, then you have full control over what they can and cannot do with it.tehhowch
My problem is unavailable my scripts available to everyone. If I read-only, users do not see the scripts, but the script does not run, if I edit it, users can see my scripts. So, how can I secret my scripts?JoeJoe
Deploy your script as an add-on, and activate it in the worksheet. Review also the other questions like yours, for example stackoverflow.com/q/38367156/9337071 webapps.stackexchange.com/questions/118256/… No matter what, though, read-only users in the Google Sheets UI can never execute scripts, or have scripts executed for them.tehhowch

1 Answers

0
votes

All scripts must run under someone's authority. Under whose authority, a script is run determines whose data is accessible to the script and whether such authority can run the script.

Authorization Concepts:

  • Scripts which are run from the script editor run under the authorization of user at the keyboard¹. Custom functions runs anonymously. Installable triggers runs under the user created the trigger. WebApps run as per the options selected during deployment.

  • Simple triggers fire automatically and anonymously under these restrictions²:

    The script must be bound to a Google Sheets, Slides, Docs, or Forms file, or else be an add-on that extends one of those applications.They do not run if a file is opened in read-only (view or comment) mode.They cannot access services that require authorization.

  • Installable triggers must be set up and run under the user who set up the trigger³.

    They do not run if a file is opened in read-only (view or comment) mode.Installable triggers always run under the account of the person who created them.A given account cannot see triggers installed from a second account, even though the first account can still activate those triggers.

  • You can restrict access to spreadsheet, sheets or ranges,.

Deductions:

Mr.A(Owner) has a spreadsheet. The spreadsheet has two sheets 1.Main Sheet and 2. Secret Sheet(Sheet is protected and hidden to be edited only by Mr.A). It also has the following scripts: 1. A simple trigger script(onEdit) to set timestamp as a note in every cell that is edited. 2. A installed trigger (AonEdit()) to send email from MrA's email on every edit. 3. A function(summary()) to create a summary of Main Sheet and send email from user's account to himself(to run manually from script editor). 4. A function to protect the secret sheet(protect()) 5. A simple onOpen() trigger logging Someone opened your sheet. And He gives edit access to Mr.B(a editor). What can Mr.B do?

  • Mr.B edits cell A1 in Main Sheet:

    • Simple trigger onEdit is fired anonymously and a timestamp is set on A1 as a note.
    • Installable trigger AonEdit is fired under Mr.A's authority and a email is sent from Mr.A's gmail.This is not known to Mr.B,though he can see the script itself.

  • Mr.B,being a cunning person as he is, unhides the secret sheet successfully and attempts to modify it:

    • Mr.B could not modify the secret sheet,even though he can fully unhide/view it

  • Mr.B finds the script editor and tries to run the function summary(). This function needs gmail permission. Mr.B is greeted with authorization[¹] for Mr.B's gmail account,so that the function may run. Mr.B grants authorization and the summary is sent from Mr.B's gmail account.

  • Mr.B cunningly modifies the protect() function to grant himself edit access to the secret sheet. The user at the keyboard is Mr.B. Mr.B's authority is not enough. He's greeted with the following error:

    You are trying to edit/remove a protected cell or object. Please contact the spreadsheet owner to remove protection if you need to edit.

  • Mr.A (Owner) knows about this unauthorized access attempt by Mr.B, He restricts edit access to All sheets. Now, Mr.B even though has permission to edit the spreadsheet, He cannot edit any sheet in the spreadsheet. Whenever he opens the sheet, the simple onOpen() is triggered logging Someone opened your sheet. Mr.B however can run the function summary() even now(If he has the script editor link) to get the summary of the sheet.

Solutions:

as this allows them to re-run the script and take "power" on the sheet.

A user with write permission can enter the script and modify the permissions.

As explained above, That wont be possible. The sheet/range edit permission is maintained even at the script level. However, A potential loop-hole is the AonEdit() function. If Mr.B were to know that Mr.A had set up a installable trigger for AonEdit() function, He can modify the AonEdit() function to say protection.remove(),which will run under Mr.A's authority(Installable triggers run under the person who created it) and thus the protection is removed.

I wish people can not see the script.

You can use a standalone script. You can also use installable triggers[³] with standalone scripts subject to the restrictions of those triggers(such as It'll only run under your authority). Since the script is not bound to the spreadsheet, Editors on the spreadsheet do not have edit/view permission on the script. Alternatively, You can publish a addon/webapp.