Using the python drive api, I am attempting to remove any permissions a user has to a drive, folder, or file given their email. However, to do this it seems as though I must query all drives, then all files from all drives, then all permissions from all files. Only then can I comb every file permission to see if the id of the user on the permission matches the id of the user I want to remove permissions from. Is there an easier way to do this?
It's easy if you only want to deal with the files owned by a user, but to find all the objects that a user has permissions to access, that's not an easy thing to do: presumably you want specific writer/editor permissions, not "anyone in the organisation can edit" permissions. In our GSuite domain there are tens of millions of Drive files so this is an infeasible task.
A workaround for you is to move the user into an OU that does not have the Drive App enabled. That removes all drive access for the user, though it's not really what you asked for.
Related
I am working on an API, I just want to know what is the best place for config file which the user will provide for api to work.
Basically I am working on getting tweets and I want the user to provide configurations(API credentials)
A common location for config files is in a folder in the User's home directory; e.g. ~/.config/my_api_config.cfg, or ~/.my_api/config.cfg etc...
There is nothing stopping you from requiring the user to put the file in a very specific location e.g., /must/be/this/exact/folder/config.cfg
Often time programs will search a few places to see if a config file exists, e.g.,
same/directory/as/script/using/api/my_api_config.cfg (per script config)
~/.config/my_api_config.cfg (per user config; could be
anywhere else in specified user directory)
/etc/my_api/config.cfg
(system-wide config)
I am trying to transfer a Google Doc that currently belongs to me and move it to the root of another user's Google Drive. Both account are in the same domain and I'm using a Service Account to access all users.
At first I tried doing this by modifying the permissions. This would give the second user access to the file but it would not place it into the root of their drive or anywhere else. If the user wanted to see it they would have to do a search.
I then found some information that mentioned using the patch method of the files service to change the metadata of the file and thus initiate the transfer, but this hasn't worked.
The only thing I have for certain are the ID's of the root folders belonging to myself and the user I want to transfer the files to. Here's what I tried to do but failed.
# Note: "service" is the connection to the domain service account
service.files().patch(fileId='FILE_ID_GOES_HERE',
body={'parents':[{'isRoot':True,'kind':'drive#parentReference','id':'user_two_root_folder_id'}]},
removeParents=['user_one_root_folder_id'],
addParents=['user_two_root_folder_id'])
I can't tell if anything is wrong because I'm not getting any error messages.
Any ideas as to how to go about this would be greatly appreciated.
OK, I figured it out. It looks like I was just using the wrong API. You have to first insert the new permission then you have to delete the old permission. This will send the file to the root of the new user's Drive.
# Insert new permission first
new_permission = {
'value': 'email_of_new_owner#mydomain.com',
'type': 'user',
'role': 'owner'
}
run_new_permission = service.permissions().insert(fileId='FILE_ID_GOES_HERE',body=new_permission).execute()
# Then delete old permission
service.permissions().delete(fileId='FILE_ID_GOES_HERE', permissionId='PERMISSION_ID_GOES_HERE').execute()
Does it return any kind of error?
I don't think you can "move" the file like that. Try file.insert to his drive then delete from your own.
I have never heard of anyone trying to patch the location of a file to someone else. TBH I can't see how that could work, because you would have to have service authenticated with both your account and his account which is not possible. Even though as you say you are using a service account with access to both account, I seriously drought that the API can support this.
You will need to do this in two steps, insert -> to him Delete -> from you
Update: I just heard from a colleague who is a Google Drive expert, he said he thought it was broken (patching location). He did a quick test and verified this is a broken feature. All it returns is 403 - insufficient permissions
I'd like to build a site which contains a few folders for different teams. However, there is one team that is common to one folder on all sites. I do not want that team to be allowed to see the content of the other folders. I tried creating a folder in a site and giving permission to a user via CMIS (in python), however that folder doesn't seem to be accessible from their share UI.
I'm not even sure this is the best way to do this. The organisation of the information requires that the areas are in the same place (i.e. the same site) however if you have access to the site you seem to have access to all the folders (I can't figure out a way of removing access to a folder on a site for a single user)
Also the requirement here is that it needs to be done programmatically; I'm not bothered particularly about using CMIS and if I have to rewrite the file/folder code, but in my head the best thing to do would be to add a widget on the share UI that access all the folders that a user has access to in the absence of being able to deny access to a folder.
As Gagravarr says you are going to have to break inheritance on the documentLibrary folder to get it to work like you want. Breaking inheritance is not supported by CMIS so you'll have to write your own web script to do that.
I would manually set the permissions until it works like you want it to, then once you get that working, write a web script that puts it into effect for all of your sites.
A share site comes with a security model where every person goes in at least one of four groups: Manager, Collaborator, Contributor and Consumer - either directly or indirectly via another group. Access is generally managed by access control lists. You might want to look at Alfresco: Folder permission by role to get an idea how that works. The site security model does not work for you if you find the need for more than those four groups to map access control. It can still be done, but I would strongly discourage you implementing that because it can get very hard to understand quickly.
I have been testing out a little script for uploading drafts to a gmail address like so:
now = imap.Time2Internaldate(time.time())
conn.append('[Gmail]/Drafts', '', now, str(msg))
This all works just fine for account1#company.com.
I then go through authenticating with a second account, acc2#company.com, and uploading a draft fails with the following error:
30:08.43 < EMCK2 NO [TRYCREATE] Folder doesn't exist. (Failure)
30:08.43 NO response: [TRYCREATE] Folder doesn't exist. (Failure)
I can create folders, but not append to folders, not even the ones that I create.
Settings in both accounts are identical and both are on the same domain. I have no idea why or how this is happening, or where to look next to find out?
This is because Google uses localized folder names for these special folders. The correct way is making your application work without hardcoded folder names and not gmail-specific in the first place. One way of achieving that goal is via the RFC 6154.
I'm faced with the following problem:
The users have some files that need syncing so I'm writing a script that copies the encrypted files from a user's directory to a temporary directory in the server before it gets distributed in the other 5 servers.
The initial copy is done by creating a folder with the user's name and putting the files there.
The users are free to change usernames so if someone changes his username to something nasty the server(s) is/are owned
I have to use the usernames for folder names because the script that does the syncing is using the folder username for metadata of some sort.
So, is there any way to escape the usernames and make sure that everything is created under the master folder?
As nrathaus suggested you could use os.path.normpath to get "normalized" path and check for security issues