fix: Add currentonly scopes for Apps Script for Docs, Sheets, Slides, and Forms.

[jpoehnelt]

No description provided.

[changeset-bot]

🦋 Changeset detected

Latest commit: fbc7865

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
google-workspace-developer-tools	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[gemini-code-assist]

Summary of Changes

Hello @jpoehnelt, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances the Google Workspace developer tools by integrating currentonly OAuth scopes for Docs, Sheets, Slides, and Forms into the Apps Script context. This addition allows for more granular permission requests, ensuring that scripts can access only the currently active document, thereby improving security and aligning with the principle of least privilege. The change includes both the technical implementation of these scopes and their documentation within the project's changelog.

Highlights

• New 'currentonly' scopes for Apps Script: This pull request introduces specific 'currentonly' OAuth scopes for Google Docs, Sheets, Slides, and Forms within the Apps Script environment. These scopes enable developers to request permissions that grant access solely to the currently open document, sheet, presentation, or form.
• Scope definition and classification: The newly added scopes are defined in scopes.ts with a clear description emphasizing their limited applicability to Apps Script Services and are classified as NON_SENSITIVE. This clarifies that they do not extend to Apps Script Advanced Services or direct calls to Google Workspace APIs.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request adds the currentonly scopes for Apps Script for Docs, Sheets, Slides, and Forms. The implementation is mostly correct, but I've identified a high-severity issue with the scope descriptions. The generic description used for all scopes is misleading to users. I've suggested a refactoring to provide specific and accurate descriptions for each scope, which will improve clarity and user experience.

[gemini-code-assist]

The current implementation uses a generic description for all currentonly scopes. This can be misleading for users, as it suggests that each scope grants access to documents, sheets, presentations, and forms, rather than just the specific type associated with the scope. For example, the description for https://www.googleapis.com/auth/documents.currentonly should clearly state it only accesses the current document. This improves clarity and ensures users understand the permissions they are granting.

const CURRENT_ONLY_SCOPES_DATA = {
	"https://www.googleapis.com/auth/documents.currentonly": "document",
	"https://www.googleapis.com/auth/forms.currentonly": "form",
	"https://www.googleapis.com/auth/presentations.currentonly": "presentation",
	"https://www.googleapis.com/auth/spreadsheets.currentonly": "sheet",
};

export const CURRENT_ONLY_SCOPES = Object.keys(CURRENT_ONLY_SCOPES_DATA);

for (const [scope, entity] of Object.entries(CURRENT_ONLY_SCOPES_DATA)) {
	SCOPES.set(scope, {
		description:
			`Access the current ${entity}. The \`currentonly\` scope is only available within Apps Script Services. This does not include Apps Script Advanced Services or direct calls to Google Workspace APIs.`,
		classification: ScopeClassification.NON_SENSITIVE,
		apis: [],
	});
}