Hacker News new | past | comments | ask | show | jobs | submit login

> However, I think the answer there is for Google to improve the security model for Drive - for example, allow the user to select a non-root folder which Transmit or iA Writer can use and have some UI indicating that it’s shared.

The oauth scope https://www.googleapis.com/auth/drive.file [0]basically allows this. If memory serves the app can use this scope, create a folder, and have access to things within that folder, it can certainly have access to all files created via the app (which should in general be true for iA and probably also Transmit). Offhand, I don't actually see what iA or Transmit are doing that needs the broader scope, though TotalCommander, trying to be a replacement file manager would still need the biggest scopes.

[0]: See https://developers.google.com/drive/api/guides/api-specific-..., the drive.file scope is non-sensitive so it needs a much more cursory approval process




Transmit is a file transfer app; it's used to get access to existing files on your own Google Drive without installing Google Drive's native app. Limiting it to a subfolder would defeat what I believe to be the most common use case.


It’d depend on what exactly you’re using it for - as an example, if you’re backing something up regularly that’d be fine.

The main thing I was thinking would be beneficial is getting user confirmation at better than the whole drive level. I think Google is trying to prevent cases where a third-party stores tokens on their servers which are breached, and in that kind of scenario it could be useful to push for scoping so e.g. if iA were breached the attacker could get your screenplay draft but not the folder where you backup your password manager or financial data.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: