Scope requests might be to permissive

[chregon]

I hope this is the right place for this, if not please inform me.

I think many users find the requested scope is a bit too much (e.g. read, edit, and delete all emails).

In my case, I have the script running with only:

"oauthScopes": [
    "https://www.googleapis.com/auth/calendar",
    "https://www.googleapis.com/auth/script.external_request",
    "https://www.googleapis.com/auth/script.scriptapp"
  ],

in the appscript.json. So no emails, and no task integration, but I bet many users don't find these necessary.

I think having the scope set manually, and maybe even informing the user of how to remove unneeded scope can help reach more people on the fence of using this. Also, might prevent some issues like this issue from becoming catastrophic down the line.

See, Authorization Scopes documentation for more.

[jonas0b1011001]

Hi,
thank you for the feedback! I agree that the requested permission might be daunting to some users, but as this is open source nobody has to blindly trust the script to not misuse the permissions.

(e.g. read, edit, and delete all emails)

This will be changed in the next version by switching from GMailApp to MailApp.
Unlike GmailApp, MailApp's sole purpose is sending email. MailApp cannot access a user's Gmail inbox.

So no emails, and no task integration, but I bet many users don't find these necessary.

I see that some features are not used by some users, the best solution would be to dynamically request permissions based on the settings activated by the user but this is as far as i know currently not possible.

I think having the scope set manually, and maybe even informing the user of how to remove unneeded scope

As "Apps Script automatically detects what scopes are needed" the script will always request all permissions that might be used by the script. An explaining wiki post about Permissions and how to adjust them is a good idea.

Also, might prevent some issues like this issue from becoming catastrophic down the line.

The script will never edit/delete events that were not originally created by it!

[derekantrican]

That assessment sounds fine to me. I didn't realize that by using MailApp instead of GmailApp you can restrict the permissions you request (I haven't used MailApp much and figured they were more or less synonymous). I've never liked how some of Google's permissions descriptions, while true, make it sound like the program is going to destroy everything (eg "Can delete all your calendars...." etc) so limiting the permissions we request sounds like a good way to put some people's minds at ease

[vsub21]

@chregon2001 Thanks for this info, I was also concerned about the excessive permissions required to run the app. Glad to know I can control it through oauthScopes.

[matthewmb]

@chregon agreed, nice find with the oauth scopes. It would be great if this info was in the installation instructions.

[derekantrican]

Please check out #191. I simply removed the last GmailApp usage (changed to MailApp) and now the "Read, compose, send, and permanently delete all your email from Gmail" is no longer requested.

The following are still requested:

• See, edit, share, and permanently delete all of the calendars you can access using Google Calendar
• Connect to an external service
• Send email as you
• Allow this application to run when you are not present
• Create, edit, organize, and delete all your tasks

[VNRARA]

qq: why is the script using Google Drive permissions now?

[jonas0b1011001]

qq: why is the script using Google Drive permissions now?

1. This is not an official release you are using.
2. Remove the two comments in Helpers.gs lines 89&90 to get rid of the permission request.

[hudcap]

Another option is to have a throwaway google account and install the script to the throwaway account. Then the calendar can be shared to your primary google account.

[VNRARA]

@jonas0b1011001 This was literally a copy from this GitHub I made.

[jonas0b1011001]

@jonas0b1011001 This was literally a copy from this GitHub I made.

The filename suggests you made a copy of a testversion from my google drive. You might have found it somewhere in the comments but that does not mean it's an official realease.

[jonas0b1011001]

I just created a wiki article about this topic.

Further steps i'd like to take to address the concerns:

1. Edit appscript.json to include the oauth scopes by default for easier editing.

{
  "timeZone": "Etc/GMT",
  "dependencies": {
    "enabledAdvancedServices": [
      {
        "userSymbol": "Tasks",
        "serviceId": "tasks",
        "version": "v1"
      },
      {
        "userSymbol": "Calendar",
        "serviceId": "calendar",
        "version": "v3"
      }
    ]
  },
  "oauthScopes": [
    "https://www.googleapis.com/auth/script.scriptapp",
    "https://www.googleapis.com/auth/tasks",
    "https://www.googleapis.com/auth/script.send_mail",
    "https://www.googleapis.com/auth/calendar",
    "https://www.googleapis.com/auth/script.external_request"
  ],
  "exceptionLogging": "STACKDRIVER",
  "runtimeVersion": "V8"
}

2. Add a link to the wiki article in the script's instructions.