Skip to content

fix: require full Gmail scope for permanent deletes#39

Open
caioribeiroclw-pixel wants to merge 1 commit into
ArtyMcLabin:mainfrom
caioribeiroclw-pixel:fix-gmail-full-delete-scope
Open

fix: require full Gmail scope for permanent deletes#39
caioribeiroclw-pixel wants to merge 1 commit into
ArtyMcLabin:mainfrom
caioribeiroclw-pixel:fix-gmail-full-delete-scope

Conversation

@caioribeiroclw-pixel

Copy link
Copy Markdown

Fixes #38.

users.messages.delete / users.messages.batchDelete require the full Gmail mailbox scope (https://mail.google.com/), so exposing permanent-delete tools under gmail.modify creates a bad UX: the tool is visible, then fails at execution time with Insufficient Permission.

This PR keeps the existing default safer:

  • adds gmail.full -> https://mail.google.com/
  • gates delete_email and batch_delete_emails behind gmail.full
  • documents that permanent delete is separate from the default gmail.modify,gmail.settings.basic auth
  • recommends modify_email / batch_modify_emails for archive / mark-read / label cleanup instead of permanent delete
  • adds regression tests for shorthand + URL scope handling and for hiding permanent delete under gmail.modify

Checks run locally:

  • npm test — 115/115 passed
  • npm run build
  • git diff --check

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

delete_email fails with Insufficient Permission — requires https://mail.google.com/ scope, not gmail.modify

1 participant