I have an application registered with google that asks users for permission to read and write all files in their google drive account.
I would find this alarming as an end-user, and my application does not in fact need the ability to read and write all files in the end-user's google drive account.
In fact I would only need the ability to read and write a single file, a file that my application creates.
Is something like this possible?
For example the scope here
https://www.googleapis.com/auth/drive
permits all access to all drive files.
I am not finding a way to limit the scope at the file, or even to a folder, which would be nice:
https://developers.google.com/identity/protocols/googlescopes
drive.file scope limits access to files that your app created. That sounds a good match for what you are asking for.
Related
I need to upload files to a client's shared folder on OneDrive, however, there's no way I can get them to allow Files.WriteAll for my application (I'm using application permissions, not delegation) -- I've asked them. Is there another way to do that?
I have looked into multiple SO questions about this and on Microsoft's documentation, and I believe it is not possible, but I would like to know from people with more experience using Microsoft's service if it is indeed true.
Trying to leverage the Microsoft Graph API within a daemon application to update a single OneDrive Excel file. How do I accomplish least privilege permissions to a single file. I have scoured the documentation for a straightforward explanation of this basic task, however no articles are instructive on how to proceed with this. The documentation appears to define least privilege as a distinction between the Office software entities, but not within folders and files of a OneDrive. Thanks in advance for guidance.
This isn't possible. The Files.{Read|ReadWrite}.All application scopes provide access to the entire Drive for every user.
From the Permissions documentation:
Files.Read.All: Allows the app to read all files in all site collections without a signed in user.
Files.ReadWrite.All: Allows the app to read all files in all site collections without a signed in user.
Google Console has "service accounts" and service accounts can be given write permissions to files. These files can then modified without any sort of user intervention and works as long as the service account has the appropriate permissions.
Is there anything similar for Microsoft Graph? We have a file in a SharePoint folder that we would like continued access to even if the people with access to that folder continuously changes.
Azure AD has a notion of Service Principals that can be used for this purpose.
As a background I have been looking to implement syncing with Dropbox within my application. It will deal with multiple files residing in folders across a users Dropbox.
Initially the Sync API seemed perfect for this however it does not allow the app to have Full Dropbox Access which is a must. I considered the 'File type' permissions type but some of the file types that my app will need access to are not listed as choices.
Are there any alternatives to the Sync API which give Full Dropbox Access or will I be needing to write a solution based upon the Core API to do this?
What file types do you need? We (Dropbox) do add new file types over time, so we're always looking for feedback.
For Full Dropbox access, yes, you'll have to use the Core API.
Google's Drive service is great, but their documentation is quite confusing...What I want to do is to create a portfolio site where upon request I fetch all files contained in a particular folder from my Google Drive (e.g. a photo gallery). This requires iterating through an amount of subfolders and store the file data in a JS object, XML feed or similar. Language is not so important. Simply using the "Publish to the web" feature won't do as I can only make manual requests and they're very limited.I've tried to use the Files: list provided in the SDK but it won't work without requiring OAuth 2. Found out that its possible to make a "domain-wide delegation of authority" and bypass its authorization but that would require me to set up a Google Apps domain. Seriously, all that to fetch some files?
My best guess now is to use the https://googleapis.com/auth/drive.metadata.readonly scope, but from there I'm out of ideas.