Fixed bug in gam print shareddriveorganizers that caused a trap when an organizer was a deleted user.

This commit is contained in:
Ross Scroggs
2025-06-05 08:11:34 -07:00
parent fccf6c1278
commit f418287e65
2 changed files with 7 additions and 10 deletions

View File

@@ -2,12 +2,13 @@
Removed the overly broad service account `IAM and Access Management API` scope `https://www.googleapis.com/auth/cloud-platform` Removed the overly broad service account `IAM and Access Management API` scope `https://www.googleapis.com/auth/cloud-platform`
from DWD. The `gam <UserTypeEntity> check|Update serviceaccount` commands issue an error message if this scope from DWD. The `gam <UserTypeEntity> check|Update serviceaccount` commands issue an error message if this scope
is enabled promptig you to update your service account authorization so that the scope can be removed. is enabled prompting you to update your service account authorization so that the scope can be removed.
GAM commands that need IAM access now use the more limited scope `https://www.googleapis.com/auth/iam` in a non-DWD manner. GAM commands that need IAM access now use the more limited scope `https://www.googleapis.com/auth/iam` in a non-DWD manner.
Added `enforce_expansive_access` Boolean variable to `gam.cfg` that provides the default value Added `enforce_expansive_access` Boolean variable to `gam.cfg` that provides the default value
for option `enforceexpansiveaccess` in all commands that delete or update drive file ACLs/permissions. for option `enforceexpansiveaccess` in all commands that delete or update drive file ACLs/permissions.
It's default value is False.
``` ```
gam <UserTypeEntity> delete permissions gam <UserTypeEntity> delete permissions
gam <UserTypeEntity> delete drivefileacl gam <UserTypeEntity> delete drivefileacl
@@ -19,6 +20,8 @@ gam <UserTypeEntity> claim ownership
gam <UserTypeEntity> transfer drive gam <UserTypeEntity> transfer drive
``` ```
Fixed bug in `gam print shareddriveorganizers` that caused a trap when an organizer was a deleted user.
Updated to Python 3.13.4 Updated to Python 3.13.4
7.08.02 7.08.02

View File

@@ -63563,9 +63563,6 @@ def updateDriveFileACLs(users, useDomainAdminAccess=False):
_checkFileIdEntityDomainAccess(fileIdEntity, useDomainAdminAccess) _checkFileIdEntityDomainAccess(fileIdEntity, useDomainAdminAccess)
if 'role' not in body: if 'role' not in body:
missingArgumentExit(f'role {formatChoiceList(DRIVEFILE_ACL_ROLES_MAP)}') missingArgumentExit(f'role {formatChoiceList(DRIVEFILE_ACL_ROLES_MAP)}')
updateKwargs = {'useDomainAdminAccess': useDomainAdminAccess}
if enforceExpansiveAccess is not None:
updateKwargs['enforceExpansiveAccess'] = enforceExpansiveAccess
printKeys, timeObjects = _getDriveFileACLPrintKeysTimeObjects() printKeys, timeObjects = _getDriveFileACLPrintKeysTimeObjects()
if csvPF and showTitles: if csvPF and showTitles:
csvPF.AddTitles(fileNameTitle) csvPF.AddTitles(fileNameTitle)
@@ -63603,7 +63600,7 @@ def updateDriveFileACLs(users, useDomainAdminAccess=False):
permission = callGAPI(drive.permissions(), 'update', permission = callGAPI(drive.permissions(), 'update',
bailOnInternalError=True, bailOnInternalError=True,
throwReasons=GAPI.DRIVE_ACCESS_THROW_REASONS+GAPI.DRIVE3_UPDATE_ACL_THROW_REASONS+[GAPI.FILE_NEVER_WRITABLE], throwReasons=GAPI.DRIVE_ACCESS_THROW_REASONS+GAPI.DRIVE3_UPDATE_ACL_THROW_REASONS+[GAPI.FILE_NEVER_WRITABLE],
**updateKwargs, useDomainAdminAccess=useDomainAdminAccess, enforceExpansiveAccess=enforceExpansiveAccess,
fileId=fileId, permissionId=permissionId, removeExpiration=removeExpiration, fileId=fileId, permissionId=permissionId, removeExpiration=removeExpiration,
transferOwnership=body.get('role', '') == 'owner', body=body, fields='*', supportsAllDrives=True) transferOwnership=body.get('role', '') == 'owner', body=body, fields='*', supportsAllDrives=True)
if updateSheetProtectedRanges and mimeType == MIMETYPE_GA_SPREADSHEET: if updateSheetProtectedRanges and mimeType == MIMETYPE_GA_SPREADSHEET:
@@ -63869,9 +63866,6 @@ def deleteDriveFileACLs(users, useDomainAdminAccess=False):
else: else:
unknownArgumentExit() unknownArgumentExit()
_checkFileIdEntityDomainAccess(fileIdEntity, useDomainAdminAccess) _checkFileIdEntityDomainAccess(fileIdEntity, useDomainAdminAccess)
deleteKwargs = {'useDomainAdminAccess': useDomainAdminAccess}
if enforceExpansiveAccess is not None:
deleteKwargs['enforceExpansiveAccess'] = enforceExpansiveAccess
i, count, users = getEntityArgument(users) i, count, users = getEntityArgument(users)
for user in users: for user in users:
i += 1 i += 1
@@ -63904,7 +63898,7 @@ def deleteDriveFileACLs(users, useDomainAdminAccess=False):
break break
callGAPI(drive.permissions(), 'delete', callGAPI(drive.permissions(), 'delete',
throwReasons=GAPI.DRIVE_ACCESS_THROW_REASONS+GAPI.DRIVE3_DELETE_ACL_THROW_REASONS+[GAPI.FILE_NEVER_WRITABLE], throwReasons=GAPI.DRIVE_ACCESS_THROW_REASONS+GAPI.DRIVE3_DELETE_ACL_THROW_REASONS+[GAPI.FILE_NEVER_WRITABLE],
**deleteKwargs, useDomainAdminAccess=useDomainAdminAccess, enforceExpansiveAccess=enforceExpansiveAccess,
fileId=fileId, permissionId=permissionId, supportsAllDrives=True) fileId=fileId, permissionId=permissionId, supportsAllDrives=True)
entityActionPerformed([Ent.USER, user, entityType, fileName, Ent.PERMISSION_ID, permissionId], j, jcount) entityActionPerformed([Ent.USER, user, entityType, fileName, Ent.PERMISSION_ID, permissionId], j, jcount)
if updateSheetProtectedRanges and mimeType == MIMETYPE_GA_SPREADSHEET: if updateSheetProtectedRanges and mimeType == MIMETYPE_GA_SPREADSHEET:
@@ -66222,7 +66216,7 @@ def printSharedDriveOrganizers(users, useDomainAdminAccess=False):
useDomainAdminAccess=useDomainAdminAccess, useDomainAdminAccess=useDomainAdminAccess,
fileId=shareddrive['id'], fields=fields, supportsAllDrives=True) fileId=shareddrive['id'], fields=fields, supportsAllDrives=True)
for permission in permissions: for permission in permissions:
if permission['type'] in includeTypes and permission['role'] in roles: if permission['type'] in includeTypes and permission['role'] in roles and permission.get('emailAddress', ''):
if domainList: if domainList:
_, domain = permission['emailAddress'].lower().split('@', 1) _, domain = permission['emailAddress'].lower().split('@', 1)
if domain not in domainList: if domain not in domainList: