google-drive-api

Google Drive API - limit API access to single folder?


My app uses Google Drive API to read files that a user has uploaded to their Drive storage area, and to write files and folders into this same directory. The user logs in with their own account/credentials.

My current understanding is that the only scope (access level) available for me to use in this case is "full drive access".

Is this a correct statement?

Dropbox supports an "Apps" folder where I can use their API to read/write, while being restricted to my own area. I'm surprised that Google doesn't offer something similar, as my users may not want to grant read/write access to their entire Drive storage, when all I need access to is a single directory (and all sub directories within, whether I create or user creates).

To provide a little more info, my app is a flashcard app. I want users, at a minimum, to be able to upload spreadsheets with data to be read in by the app. But users would like it if I didn't need full access to all their data.


Solution

  • 2024 update: Google has effectively blocked me (my apps) from using "full drive access" anymore. They are cracking down on security risks.

    Update #2: I could not figure out how to OK individual files using the "drive.file" scope. I pleaded my case to Google and they said I needed a CASA level 2 security assessment. This costs about $600 USD / year, payable to security company. They send results to Google. I decided to go this route, and Google has now reinstated my app with full "drive" access.


    I think the simple answer is... Google Drive doesn't have an "Apps" directory like Dropbox or OneDrive, and if an app want access to files the user uploaded to Drive, the basic way is for the user to grant access to ALL files in Drive.

    The "drive.file" scope might work for some since it appears to give access to individual files that the user OK'd. How does the user OK a file? According to the post below, they would send a file from the Drive app to my app.

    Google Drive api scope and file access (drive vs drive.files)

    I think these are the only two permission options to read user's files using the Drive API (without using a service account).