I have this simple code to prevent unwanted users from accessing my Google Slide by performing following tasks:

1. Detect user's IP and compare with whitelist IPs
2. If the IP is not in the whitelist, redirect the user to another page (i.e. www.example.com)

The code I've written is as below;

function doGet(e) { // [Problem #1] This function is not running everytime a user visits my Google Slide

  // Get user's IP address: works correctly by returning MY IP address
  var url = "http://api.ipify.org";
  var json = UrlFetchApp.fetch(url);
  var IP = json.toString();

  // Compare with whitelist IP: works correctly
  switch(IP)
  {
    case "10.10.10.1":
      console.log("Accessed with eligible IP");
      break;
    case "10.10.10.2":
      console.log("Accessed with eligible IP");
      break;
    case "10.10.10.3":
      console.log("Accessed with eligible IP");
      break;
    default:
      // [Problem #2] Kick away unauthorized users: NOT WORKING
      console.log("Access denied: unauthorized IP");
      return HtmlService.createHtmlOutput(
      "<script>window.top.location.href='https://example.com';</script>"
      );

  }
}

[Problem #1] I've named my function doGet(e) as is described in https://developers.google.com/apps-script/guides/triggers, hoping that it runs everytime when a user visits my web app(Google Slide). However, visiting my GoogleSlide or refreshing the page won't let my code run. I've also tried doGet(), onOpen(e), onOpen(), doPost(e), and doPost() - but all in vain.

[Problem #2] Reading user's IP address and determining whether the user is unauthorized is working good, but I can't kick unauthorized user away by redirecting him/her to another page.

Please shed some light.

Thank you in advance.

CodePudding user response：

There is no simple way to stop unauthorized access to the slide deck the way you envision. The easiest solution would be to use the standard File > Share dialog box to grant access only to the individuals you want. Others will not be able to view the file. If you are sharing the slide deck as "anyone with link can view", simply do not give the link to people other than the ones you want to grant access to.

The reason for your approach failing is that, broadly speaking, only code in simple triggers and custom functions can run without authorization. All other types of functions will prompt the back-end to show a dialog box to ask the user at the keyboard for authorization. If the dialog box is dismissed, the code does not get to run.

When you are running without authorization, not all Apps Script methods are available. Notably, you cannot open client-side user HTML dialog boxes or sidebars. That is of relevance here because Apps Script runs on Google's servers rather than in the end device. You cannot find the user's IP address in a server-side script.

If you had authorization, you could open a client-side HTML dialog box or sidebar and call the http://api.ipify.org endpoint there. But the problem is that the user can simply choose to not authorize, preventing your code from ever running.

Further, I do not think there is any way to close the host slide deck window or redirect it to another page from any type of script function.

The doGet() function will not run automatically when you open a slide deck. It is usually called by accessing another endpoint that gets created when you deploy the script project as a web app. It runs in the server side and I do not think it is of much relevance here as it has no access to the slide deck user interface.