OpenRefine icon indicating copy to clipboard operation
OpenRefine copied to clipboard
verified publisher icon OpenRefine

Don't require write access to Google Sheets / Drive for project creation

Open tfmorris opened this issue 2 years ago • 2 comments

OpenRefine currently uses Google authentication for two different purposes: 1) creating projects from Google Drive or Google Sheets documents and 2) uploading data to Google Sheets / Drive. For the first, only read access is required and it's an unnecessary security risk to be asking for full read/write access as we currently do.

To Reproduce

Steps to reproduce the behavior:

  1. Create project from Google Data
  2. Login to Google
  3. Note that the scopes listed in the OAuth authentication dialog include full access, not read only access

Current Results

Full read/write scopes are requested

Expected Behavior

drive.readonly and spreadsheets.readonly are requested instead of the full drive and spreadsheets versions.

tfmorris avatar Nov 25 '23 01:11 tfmorris

This would likely mean also having a workflow to request the additional permissions when exporting to Google Drive, if the user was already logged in with read-only permissions.

wetneb avatar Nov 25 '23 09:11 wetneb

Currently I think the login flow is triggered by the absence of a cookie, but I think the preferred/recommended way is to use an access failure to trigger it, which I think would deal with both cases. Otherwise, you need to get into the business of introspecting the cookie contents to see what scopes it contains (and it still might not represent a valid token).

tfmorris avatar Dec 13 '23 18:12 tfmorris