Google Drive Permissions

Hi,

The reason it doesn’t just ask for permission only to access the folder created is that if a user has to re-install WP (e.g. your site got hacked + destroyed) and create a new connection, he then normally doesn’t understand why he can’t access his existing backups from the previous install. So, we use the other possibility (there are only two) so that when you need to restore your site, you don’t get an unpleasant or confusing surprise.

Google provide a very limited security model on Drive, unfortunately; possibly because they sell Google Cloud instead to people with more complicated needs.

David

Hi David,

Any plans to provide an option to use a restricted permission set rather then full? Once I’ve approached BackUpWordpress team with the same question and they’ve actually changed to restricted (only folder created by the app), which lowers the risks both for users and you, since no one can blame UpDraft for wiping out a personal drive.

Even with the trust that you won’t be messing up with my files intentionally, with such a permission your plugin is a target for deliberate hacking. For me it is a make it or break it option, I’d buy premium, but only if it supports restricted access setting. And as you know it is just a matter of changing one digit in the request…

Regards, Mike

Wow, David. You are going to get hacked, It is just a matter of time. Though, you probably have very few Google Drive users because only a nincompoop would authorize you to have full access to thier google drive.

Even without a hacker, all it will take is one vindictive girlfriend or employee and there goes TB of other people’ data. And I would venture you do not have professional insurance to cover such a disaster because no insurer would ensure such a gaping hole. Oh, your excuse is utter nonsense.

In addition, your thinking people that use google drive are incompetent is rude.
Good luck.

Thanks for the lead Mike. I’ll look them up

PS. WordPress, you should shut Updraftplus down for such a gaping security flaw.

• This reply was modified 5 years, 5 months ago by JuliaClark.

@mishamsk Yes, you can restrict to the more limited “only files created by the app” scope; add this as an mu-plugin or in your functions.php. Note that the way it’s written below assumes PHP 5.3+ :

add_filter('updraft_googledrive_scope', function() { return 'https://www.googleapis.com/auth/drive.files https://www.googleapis.com/auth/userinfo.profile'; });

N.B. If you do this, you won’t be able to use the “Rescan remote storage” feature to import backups that you manually uploaded into Google Drive (possibly some other things too).

N.B. @sgrx It’s important to understand that in the OAuth2 security protocol, though an app could *theoretically* do those things, that doesn’t mean that UpdraftPlus, the company, can do any of those things. The *app* is the installed, open-source UpdraftPlus code on your website, in combination with the OAuth2 access token stored on your website. UpdraftPlus, the company, does not have access to your access token, and the code is all open source, distributed from www.ads-software.com (and you can read the source whenever you like). As such, there’s never going to be a release of UpdraftPlus that does any of those things (www.ads-software.com would boot us into outer space pretty immediately). It’s not like installing a proprietary app that’s closed to everyone.

David