What are the permissions and privacy settings for this add-on?

I wish the documentation addressed in some detail the permissions of this add-on.

Does it access/read all documents in the linked Google Drive, or only the documents the user chooses to embed?

Can Confluence users other than the one whose Drive is linked access that Drive?

Is the macro/add-on installed by default for that user who installs it, or is it available to all users on Confluence?

I don't want to have to install this add-on in order to find out...

Thanks,

Javier

1 answer

It uses Google's own previewer to view documents using your own Google account authenication, it's little more than an iFrame with their viewer.

There's no server acting on behalf of your user.

David, is this still the case? I'm seeing the plugin request the following permissions.

 

Request Details

It is still the case. Those scopes are the Google scopes being requested, there's no scope that allows a server to act on your behalf there.

So, is there an intermediary between Google and the user's browser that can see the file contents? I'm not sure I'm understanding the architecture correctly. Thanks so much for the response.

No, the comms is directly between your browser and Google's server, there is no proxy.

In that case, I'm not understanding what system is requesting the drive access?

The content loaded on drive.draw.io in the iFrame that the macro sits in is requesting access to your Google Drive.

Doesn't that imply that drive.draw.io has some level of access to a file's content? Sorry to be so nit-picky; I'm operating in a HIPAA regulated environment and need to be very specific about where and how data is stored and transmitted.

No problem. It means a web page served from drive.draw.io can be authenticated client-side to access the Google Drive. The source code to this plugin is fairly short, you're welcome to inspect it to confirm this is how the read is performed.

You could record the request and play it out of a server, as long as the file isn't public it will receive a 403.

Got it. Do you have a link to the source code? Thanks again for answering so many questions about a free plugin.

Suggest an answer

Log in or Sign up to answer
Community showcase
Published Oct 31, 2018 in Marketplace Apps

Marketplace Spotlight: Zephyr

Hello Atlassian Community! Each month, we run a series of Spotlights to highlight Marketplace vendors and apps that our team thinks this Community would find valuable. In last month's Spotlig...

344 views 0 1
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you