G Suite Business customers can preview App Maker. Ask your domain admin to apply for early access.

Application Settings

The application settings let you specify application wide settings. You can also manage revisions and deployments from the settings UI, which is covered in much more detail here.

App Settings

Description

The description is used by the application authors to describe the purpose of the application, and any other information which might be necessary.

App Start

This section allows you to specify an initial view for your app, as well as which JavaScript libraries should be loaded along with your application. The libraries are specified by the URL where they are hosted. Conveniently, Google hosts several of the most common libraries. Note that the order in which the libraries appear in the list is the order in which they will be loaded, so libraries should appear after all of their dependencies, if they have any. Similarly, you can specify any CSS dependencies you may have.

This section also allows you specify any arbitrary script to run when your application starts. You might use this script to specify a dynamic start view, or to pre-load data before your views load. By the time this code runs, all external libraries have been loaded, so it is safe to use them.

For example, suppose you store a preferred starting view for each user in a user preference record. The following example loads that datasource and displays the appropriate view based on the results.

var datasource = app.datasources.MyUserDatasource;
// Stop app from loading until the datasource loads.
loader.suspendLoad();
datasource.load(function() {
    app.showPage(datasource.item.StartView);
    // Continue load now that data is loaded and view is set.
    loader.resumeLoad();
});

The loader parameter is passed to this script and allows you to suspend the loading of your app until some asynchronous data is returned, as shown above. If you don't suspend loading the application, the application will load as normal as soon as this script finishes.

Security

Use access roles to control how other users interact with your app after you've published it. You can control:

  • Who can use the application.
  • Who can access specific pages and modify records in your models.
  • (Admins only) Who can publish and edit deployments. You can't remove the admins role.

Security workflow

The basic workflow for controlling app security:

  1. Add roles in Settings settings chevron_right App Settings chevron_right Security.
  2. Add the roles to the individual pages and models that need protection.
  3. Add people to the roles when you create a new deployment.

More about access roles

You can specify your own roles, which by default have no permissions assigned. Permissions are currently assignable for model and relation modification events, view access and service datasource execution. This allows you to specify the ways that groups of people can interact with a model, for example, you may specify that only the Admins role can modify a record, or you could create your own role, for example a role named Manager, and give them create permissions on all your models. See Model Permissions for more information.

It's important to note that the model permission settings are the security gatekeeper to your application's data. This means that you can't rely on the UI to prevent a malicious user from accessing, and even editing, your data. For example, to create a secure "registration form" type application, you'll need to specifically limit who can read and modify the data in the model permission settings, even if there is no UI that provides this access to the data.

Note that you can only create or delete roles in the App Maker editor. You must wait until you publish your application to specify the members of these roles. This allows you to publish multiple versions of your application with different permissions. For example, the published production version of your application might have only you as the administrator, while the test version might have a set of trusted developers and testers in the Admins role. It also makes permissions more flexible, allowing you to modify role membership on a published application without requiring you to update the content of the application.

Each member you add must be an email address for an individual account or a Google Group. They can be set when initially publishing an application, and updated later by editing the application deployment's settings.

In scripting, you can access all the roles that the current user of your application is a member of using the user.roles parameter. This is available on both the client and the server.

Because role membership is specific to published applications, they do not exist during preview. When you preview, the user will have all permissions. In order to test permissions, you will need to publish a test deployment of your application and specify role membership.

Allow Apps to be Embedded

You or others in your domain might want to embed an app in another web site. Some of the benefits of embedded apps include:

  • You can integrate apps with sites that are already familiar to your domain's users.
  • You can conceal the long, complex URLs currently used to host published apps.

Most web sites with google.com URLs can embed an App Maker app. Sites with non-Google URLs require permission from an app administrator:

Type of Site Admin permission required? Notes
Non-Google web sites Yes Could introduce clickjacking vulnerability.
New Google Sites with google.com URL No Enabled by default.
New Google Sites with custom URL Yes
  • Site author can preview embedded app because previews are hosted on Google infrastructure.
  • App is blocked on published pages until app admin enables embedding.
Classic Google Sites Yes Can be embedded in an iframe gadget.
Sites or apps with scripts.google.com URL No Enabled by default.

Security Vulnerabilities

If you enable embedding, anyone who has access to the app can embed it in a site they control. This can lead to a type of web attack known as clickjacking. There are methods available to defeat clickjacking , but you should avoid making dangerous operations available in an app that can be embedded. If this is unavoidable, your app should provide a warning or a visible indicator before the user performs actions like entering personal information or deleting data.

Enable embedding

Click the checkbox in Settings settings chevron_right App Settings chevron_right Security to make your app embeddable.

Preferences

The Preferences section governs several UI and scripting settings.

App Language

App Maker apps currently support one language per app. English is the default language. UI text strings, messages, number formats, and date formats are appropriate for English.

If you change an app’s language to a different language, then users will expect UI text strings, messages, number formats, and date formats to be in the other language.

Some UI strings are available to the app developer in widget properties. As the app developer, it is your responsibility to localize the strings in the app’s language.

Some UI strings are not available to the developer for manual localization. App Maker customizes those strings automatically. App Maker also customizes number formats and date formats automatically.

App Maker automatically localizes these widgets:

  • Date boxes: Date format
  • Google maps: UI strings
  • Charts: Number formats and date formats in table, line, pie and bar charts
  • All widgets: Number formats and date formats in bindings for all bindable properties
  • Forms: Validation messages

Favicon URL

Enter the location for the favicon you want your app to use when it's deployed.

Advanced Google Services

Call APIs for Advanced Google services from your app. To use advanced services, add them in App Settings. All Advanced Services that are available in Apps Script are available in App Maker.

You don't need to add built-in Google services.

Add advanced services

  1. Click Settings settings chevron_right App Settingschevron_rightAdvanced Serviceschevron_rightAdd Service.
  2. Select boxes for the services you want to add and click Add.

Call advanced services

Call advanced services from server scripts in the same way that you call other Google services. Server scripts run in JavaScript as Apps Script scripts.

Tutorial 4 teaches you about calling APIs in server scripts from App Maker.

Remove advanced services

  1. Click Settings settings chevron_right App Settings.
  2. Under Advanced Services, hover over a row for a service and click delete.