23 comments

[ 4.9 ms ] story [ 61.9 ms ] thread
Wow! I used this api a few months ago and it was really helpful. Of course I knew it was undocumented and could break at any time; here we are.
Sharing resources from web applications securely is hard work. It doesn’t surprise me at all that they end up having to lock down some forms of access from time to time. Most likely they found a vulnerability and this was a side effect of mitigating it.
Link requires google account, anyone have a synopsis?
Someone reported the bug, a @google.com replies verifying they reproduced it and have forwarded internally (attaching a private "blocked by" bug).

So it sounds like they accept this is an issue.

Note that a comment further down says:

> I have heard that this appears to not be a bug, rather an intentional change that they didn't announce in advance.

Not sure where "I have heard" comes from, but

Created issue. A short description of the issue:

Private Sheet public CSV export requires authentication when set not to

What steps will reproduce the problem?

1. create a private(!) Google Sheet

2. set public CSV export publication

3. access the endpoint without credentials

What is the expected output? What do you see instead? If you see error messages, please provide them.

You should receive a CSV file, you get HTML5 login form.

Please provide any additional information below.

Setting the Sheet to Public with a link fixes the problem, there's an obvious bug with the permissions taken from the Sheet, not the Export.

Thanks! Perhaps the issuetracker and sheets teams will be able to work together on a new permission-less access policy. ;)
This broke our production app last week. The only solution was to move our CSVs off of Sheets completely.
Why? Couldn't you have just set them to public view access?

Seems like it would have been a drastically simpler change.

We didn't know about that workaround at the time, we just needed to get our app back online.
Removing an external dependency on Google is a sound engineering choice for many use cases (and maybe not for others). One reason it might a sound engineering choice is what happened here.

Sure moving off Google is work. So is implementing the work around. Breaking changes always either require work or make user code obsolete. Breaking changes generate work for users. They externalize the cost of making changes non-breaking to end users.

Fortunately it was a transition we'd already talked about making; we were approaching that threshold where the agility/reliability tradeoff was about to flip. But still, it sucked having a few hours of unexpected downtime while we scrambled to make the change.
Google not giving a shit is news?
Huh? Where did you get that?
Despite being sarcastically phrased, the GP is very warranted. Google is so renowned for making breaking changes, there's a site to track not just their dead code, but their dead products:

https://killedbygoogle.com/

I think experienced engineers have learned not to depend on Google a long time ago, and the GP is stressing that lesson: this is not "news" in that it happens _very_ frequently.

Also, for the company that invented the protobuf IDL, you'd expect them to maybe use swagger to catch these things in an automated fashion, if they have admitted it's a bug by accepting a support ticket for it.

At the same time looks like they've updated this page (https://www.google.com/search/howsearchworks/mission/):

"Our company mission is to organize the world's information and make it universally accessible and useful, as long as you are logged in and we can show you personalized ads".

Title "Google makes breaking change to publishing Sheets as data" is slightly misleading/speculative as to intent.

Linked page title is "Private Sheet public CSV export requires authentication"

with a reply from Google: "This has been forwarded internally, any updates will be posted here."

This also broke my dashboard... which got bunch of data from spreadsheet :/
Shouldn't an integration that relied on this sort of things simply have been done properly using the sheets API to begin with?

The bug to me seems that it was ever possible to access data in a private sheet without authentication.