Narrow Google Drive permissions
Current permissions gives to much access. Able to read and delete all files on my Google Drive is far reaching.
we pushed an update today that only asks for the permission to access files created by this app. you can narrow the current permissions down by disconnecting mindmup from your drive web site, then re-connecting it.
-
Guillaume, this is a limitation of the Google API. It's not possible to access Drive data without being logged on to Google through the API. I assume they use some internal interfaces for Drive apps, not the ones available to third party developers.
-
Guillaume Berche commented
it would be quite useful to be able to contribute to a mindmup document saved in drive and shared with "modifications allowed by anyone with the link". Google docs can for example be edited without having a google account, users appear as anonymous avatars, and this still allows real-time interactions.
-
Fueler commented
Thank you for this change!
-
Fueler commented
https://www.googleapis.com/auth/drive.file
- Per-file access to files created or opened by the appThat should be the access needed.
Files can still be shared via Google Drive.
-
Jakub Holy commented
I guess it cannot be helped unless Google adds support for limited access to its API. Currently it supports only few "auth scopes" - https://developers.google.com/drive/scopes - per-file access to files created/opened by the app, read or write access to file metadata, r/w access to files, access to a folder unique to the app.
F.ex. using the app folder (drive.appdata) permission might seem interesting but then 1) the data would be only visible to the app, not the user; 2) it wouldn't be possible to share the maps with others.
Tge File API shows what is possible https://developers.google.com/drive/v2/reference/#Files - essentially nothing w/o a fileId, so even opening a file that somebody made available to the whole world is not possible through this API