I’m working with a Google Spreadsheet that has an Apps Script with an onEdit trigger. I need to make sure this trigger only executes when specific authorized users are editing the sheet.
My goal:
Only allow the onEdit trigger to run for predetermined admin users
Block the trigger from running for unauthorized users or anonymous sessions
I tried using this approach but it’s not working as expected:
The problem is that when users aren’t signed in, the function still seems to execute with admin rights even though Session.getActiveUser().getEmail() returns empty. It only properly blocks users who are signed in with different accounts.
What’s the correct way to handle anonymous users and ensure the script only runs for my authorized admin accounts?
The issue you’re encountering is actually a common security pitfall with Google Apps Script. When anonymous users access a published web app or shared spreadsheet, the script can indeed run with the permissions of the script owner rather than the actual user.
I’ve dealt with this exact problem before. The key is understanding that Session.getActiveUser().getEmail() behaves differently depending on how your script is deployed and accessed. For spreadsheet-bound scripts, you need to implement a more robust authorization check.
Try wrapping your entire onEdit function with the permission check and add explicit logging to track what’s happening. Also consider using Session.getEffectiveUser().getEmail() as an additional verification layer - this sometimes returns different results than getActiveUser() in edge cases.
Another approach that worked for me was creating a separate authorization function that writes a timestamp and user info to a hidden sheet for auditing purposes. This way you can actually see who’s triggering the script and debug the anonymous access issue.
The fundamental problem might be that your spreadsheet sharing settings are too permissive. Check if the sheet is set to “Anyone with the link can edit” - this often causes the script to run with elevated permissions regardless of the actual user.
had similiar problem last month and found the issue was in spreadsheet permisions combined with script authorization scope. try adding SpreadsheetApp.getActiveSheet().getProtections() to verify user has actual edit rights rather than just relying on session email. also make sure your script manifest has proper oauth scopes defined otherwise it might default to owner permissions
Anonymous execution is definitely a tricky aspect of Google Apps Script security. From my experience troubleshooting similar issues, the root cause often lies in how the script’s execution context is established. What you’re seeing happens because Google Apps Script maintains different execution contexts for different access patterns. When someone accesses your spreadsheet anonymously, the script may still execute under the owner’s context, which bypasses your user authentication entirely. I found success by implementing a two-step verification process. First, add a direct property check using PropertiesService.getScriptProperties() to maintain a separate authorization state. Second, implement a manual trigger registration system where authorized users must explicitly activate their permissions through a separate function call. The critical insight is that you cannot rely solely on Session.getActiveUser() for security in shared spreadsheets. Consider moving sensitive operations to a separate script file that requires explicit authorization, then call it conditionally from your onEdit trigger. This creates an additional security layer that prevents anonymous execution. Also worth checking your script’s execution transcript in the Apps Script editor - this will show you exactly what user context each execution runs under, which should help clarify why your current approach isn’t catching anonymous users.