Allow script to edit locked cells

I have a complex spreadsheet where most of the sheet is locked and the user can only edit a handful of cells which triggers a bunch of calculations. This used to work fine but the problem now is I have added a drawing which I attached a script to so it acts as a button. Doing this forces the user to have to authorize and now the scripts run as that user so when the script tries to update cells that are locked to the user it fails.

How can I make it so a user can't type into cells, but my scripts can still update them. Basically I want the script to have full access to the sheet, not restricted by user permissions.

Workaround#1 -Service account:

• Create a service account

• Share your spreadsheet with edit permissions to the service account's email

• Install and Use the Google oauth2 library to get Bearer token with necessary scopes(Drive/Sheets/Both). This token can be used to impersonate the service account.

• Using the bearer token above, You can directly access the

  • google-sheets-api using urlfetch
  • OR use a published webapp(set to execute as "User accessing the app" and "Anyone") to use inbuilt services such as SpreadsheetApp. See Second related answer linked below.

• In this case, PRIVATE_KEY of the service account acts as a password to access the spreadsheet with edit privileges. So, exposing it directly in the script editor will give access to any of the editors to access protected areas of the spreadsheet and all service account resources. So, in a way, protected areas are not protected in a absolute way. If protected areas need to be absolutely protected, You may be able to bypass this limitation

  • using two script projects: a bound one posting data to a unbound one, which is published as a web app and holds the private key. Here, editors can be supplied with passwords to access the unbound script.

  • Another way is to simply publish a addon, as a addon's source code is never visible to end users.

Workaround#2 - Installable triggers:

• Use a installable edit trigger with a checkbox. Users click a checkbox in the unprotected area and script modifies the protected area.

• Installable triggers run under the authority of the user who installed it and not as the current user.

• They can bypass permission restrictions of the sheet. But this is a double edged sword. Anyone with edit permission will be able to trigger the script. Not only that, they may also be able to access the script editor and modify the script as they see fit. To limit foul usage,

  • Set the script to run only at a specified version: This can be done by setting the edit trigger manually in Tools > Script editor> Edit > Current project triggers > Add trigger > Select version. Script must have a saved version and be deployed as a webapp(doesn't need to be working).
  • Avoid providing unnecessary scopes to the script. Limit oauthScopes by editing manifest file. Preferably the only scope provided should be https://www.googleapis.com/auth/spreadsheets.currentonly
  • Alternatively, use a standalone script instead of a container bound script. You get access to installable triggers in standalone scripts, but lose access to some ui elements like buttons. But editor of sheets/docs will never get to see the script.

Related:

• Is there a way to let a user edit another spreadsheet with a script and hide it from him at the same time?
• Google App Script execute function when a user selects a cell in a range
• How to run a Google Apps Script in a read-only spreadsheet?