Requested permissions excessive?

renanlecaro / mermaid-gdocs

Mermaidsjs wrapper for gdocs.

https://mermaid-gdocs.lecaro.me/

86 stars 14 forks source link

Requested permissions excessive? #22

Closed geksiong closed 1 year ago

geksiong commented 2 years ago

Can we have a reduced scope of permissions?

Currently, this is what's requested:

See, edit, create, and delete all your Google Docs documents

I also have the PlantUML Gizmo add-on, and it requests for a smaller scope:

View and manage documents that this application has been installed in

I think that's a better scope to request for, and it gives us better peace of mind. The current permission is preventing me from using the add-on for work.

quasipickle commented 2 years ago

I'll chime in that I too want to use this for work, but can't justify giving this access to all my documents.

jonz-secops commented 2 years ago

Agreed, let's see a minimal set of permissions requested. As is, the access scope is way beyond what is appropriate for a professional environment.

renanlecaro commented 2 years ago

Agreed that it would be better. I have other things to focus on right now. If one of you would like to integrate the app better with google docs (ask less permissions, use in slides..), I'd be happy to pass this project on

samadhicsec commented 2 years ago

I also would like to use this add-on, but the permissions make it a challenge to use in a business context.

According to this page https://developers.google.com/apps-script/add-ons/concepts/editor-scopes#editor_add-on_scopes, to fix this all you need to do is add:

/** * @OnlyCurrentDoc */

To the top of the Code.gs file.

I wasn't able to get the add-on working myself, but I got it working enough (with the above change) to prove that the change causes it to ask for reduced permissions, but I couldn't confirm that all the functionality still worked.

renanlecaro commented 1 year ago

I made an update to the scope, pending verification by google

renanlecaro commented 1 year ago

Google's scopes review policy is just the worst

renanlecaro commented 1 year ago

Well, it was a pain, but i think it's good now @geksiong @quasipickle @jonz-secops @samadhicsec

renanlecaro commented 1 year ago

I couldn't get rid of the email adress and public info part, i guess all addons get it by default ?

samadhicsec commented 1 year ago

Your pain will improve the efficiency of a whole lot of people. My sincere thanks for making the update.