列表忽略drive.file范围并显示未由调用应用程序创建的共享文件 [英] List ignores drive.file scope and shows shared files not created by the calling app

问题描述

我们的应用程序使用drive.file范围来确保我们只能看到我们的应用程序创建的用户文件。

然而，'list '调用返回已经与用户共享的文件，即使它们不是由我们的应用程序创建的。

可以在试用它中轻松验证。部分文件/列表API文档。
使用drive.file范围进行授权，并运行不带任何参数的简单列表查询。这应该返回一个空列表，但在我的情况下返回已与我共享的几十个文件。

之前有同样的问题（一个小的变化只影响查询q参数集）：使用搜索查询列出文件会返回超出范围的结果（drive.files.list调用，使用drive.files作用域）

它已被修复在此期间，但现在似乎回来了所有列表查询。这是有问题的，主要不是因为它打破了我们的应用程序，除了它自己的文件外，什么也不需要。存在隐私问题，因为我突然可以看到我们用户的私人数据的文件名，这是他们从未同意的。

解决方案

我相信这个问题是由于API Explorer的行为，而不是Drive API本身。如果API资源管理器已经有一个具有OAuth范围的令牌能够进行调用，那么它将使用该令牌，因此如果先前给出的API资源管理器是可以查看所有用户文件的范围，那么您将全部返回。尝试为您的帐户撤消所有Explorer令牌： rel =nofollow> https://accounts.google.com/b/0/IssuedAuthSubTokens?hl=en

然后，在清除所有cookie后/ sessions for developers.google.com，尝试用ony the drive.file范围创建一个新标记并再次尝试您的API调用。

您还应该注意那些被公开分享将被退回。

Our application uses the drive.file scope to make sure we only can see files of our users that have been created by our application.

However, a 'list' call returns files that have been shared with the user even though they are not created by our application.

That can be easily verified in the "Try it!" section of files/list API documentation. Authorize with drive.file scope and run a simple list query without any parameters. That should return an empty list but in my case returns dozens of files that have been shared with me.

There was the same issue before (a slight variation only affecting queries with q parameter set): Listing files with search query returns out-of-scope results (drive.files.list call, using drive.files scope)

It has been fixed in the meantime but now it seems to be back for all list queries. It's problematic not mainly because it breaks our app that expects nothing but its own files. There is the privacy problem because I can suddenly see the file names of our users' private data, which they have never agreed to.

解决方案

I believe this issue is due to the behavior of API Explorer, not Drive API itself. If API Explorer already has a token with OAuth scopes capable of making the call, it will use that so if previously given API Explorer a scope that can see all user files, you'll get them all back. Try revoking ALL Explorer tokens for your account at:

https://accounts.google.com/b/0/IssuedAuthSubTokens?hl=en

then, after clearing all cookies/sessions for developers.google.com, try creating a new token with ony the drive.file scope and attempt your API call again.

You should also note that files that are publicly shared will be returned.

这篇关于列表忽略drive.file范围并显示未由调用应用程序创建的共享文件的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！