google api - GMail API Super Admin access other users accounts via API? -


my institution running google apps education since 2009. i’m responsible creating, deleting, modifying, etc. , student email accounts. i’ve converted existing c# applications gdata new admin sdk - life good.

last week 1 of departments sent out email 800 students contained error. asked if it’s possible create quick application able remove email 800 students inbox.

using “super admin” domain account able create application using gmail api go inbox , select particular emails matched specific criteria; example: from:xxxx@domain.edu , is:unread , subject:test able return collection of message id’s can delete them inbox – great!

since able on inbox figured i’d conduct test , plug in 1 of 800 email addresses , same result. unfortunately received error message:

error: google.apis.requests.requesterror delegation denied xxxxx@domain.edu [403] errors [ message[delegation denied xxxxx@domain.edu] location[ - ] reason[forbidden] domain[global] ]

i did read on account delegation require request being sent “super admin” account , student accepting it.

could “super admin” of domain doesn’t have these permissions on inbox except own? i’ve tried reading posts , google’s documentation cannot seem find answer on topic.

the gmail api enabled in developers console desktop application.

the service account i’m using authorized , in c# application using correct scopes: 

scopes = new[] {                          "https://mail.google.com",                     gmailservice.scope.gmailcompose,                     gmailservice.scope.gmailinsert,                     gmailservice.scope.gmaillabels,                     gmailservice.scope.gmailmodify,                     gmailservice.scope.gmailreadonly,                     gmailservice.scope.mailgooglecom,                     "https://www.googleapis.com/auth/userinfo.email",                     "https://www.googleapis.com/auth/userinfo.profile"},

my c# code:

list<google.apis.gmail.v1.data.message> result = new list<google.apis.gmail.v1.data.message>();  usersresource.messagesresource.listrequest request = googletoken.googleservice().users.messages.list("xxxxx@domain.edu");  request.q = " from:xxxx@domain.edu , is:unread , subject:test ";                          {                 try                 {                     listmessagesresponse response = request.execute();                     result.addrange(response.messages);                     request.pagetoken = response.nextpagetoken;                 }                 catch (exception ex)                 {                     debug.writeline("error: " + ex.message);                 }             }             while (!string.isnullorempty(request.pagetoken));              debug.writeline("done");             debug.writeline(result);         }

you cannot authenticate yourself , access other mailboxes, if admin in domain. however, domain admin, can whitelist app access users in domain. involves using service account domain wide delegation. need whitelist app in google apps cpanel , use different auth flow. see: https://developers.google.com/identity/protocols/oauth2serviceaccount#delegatingauthority

though really, email mistakes happen, have them reply followup correct misinformation. going , deleting email mailbox, if it's possible, seems bad idea "user trust" perspective (what happens if have bug , delete wrong mail!)--has tried reasoning said person idea? :-d users have seen email may worried/confused when disappears, etc.


-

Comments

  1. Afnan9 August 2021 at 14:44

    Did you find a solution? I am stuck with the same problem

    ReplyDelete

Post a Comment

Popular posts from this blog

facebook - android ACTION_SEND to share with specific application only -

in android application have 4 buttons facebook , viber , telegram , whatsapp , want share different content based on each button. for example if user clicks on viber button want user action_send share content viber only. i found this explains how facebook , twitter seems it's calling specific class name of application don't know applications wanna use except facebook. all android apps have unique id, first have check if these apps installed in user's device , can pass unique id via intent sharing. according below: unique ids different apps : viber : com.viber.voip telegram : org.telegram.messenger whatsapp : com.whatsapp check if these apps installed , if installed send messages through intent. private void sendmessage(context context,string message, string appids) { final boolean isappinstalled =isappavailable(context, appids); if (isappinstalled) { intent myintent = new intent(intent.action_send); myintent.settype("text/p...
Read more

python - Creating a new virtualenv gives a permissions error -

i'm getting following output when running virtualenv newvenv . traceback (most recent call last): file "/usr/local/bin/virtualenv", line 5, in <module> pkg_resources import load_entry_point file "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 2727, in <module> add_activation_listener(lambda dist: dist.activate()) file "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 700, in subscribe callback(dist) file "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 2727, in <lambda> add_activation_listener(lambda dist: dist.activate()) file "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 2227, in activate self.insert_on(path) file "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 2334, in insert_on self.check_version_conflict() file "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 2373, in check_version_conflict...
Read more

go - Idiomatic way to handle template errors in golang -

say have html/template following: <html> <body> <p>{{somefunc .somedata}}</p> </body> and somefunc returns error. there idiomatic way deal this? if write directly responsewriter , status code 200 has been written before encounter error. var tmpl *template.template func handler(w http.responsewriter, r *http.request) { err := tmpl.execute(w, data) // "<html><body><p>" has been written... // err? } preferably return status code 400 or such, can't see way if use template.execute directly on responsewriter . there i'm missing? since template engine generates output on-the-fly, parts of template preceding somefunc call sent output. , if output not buffered, (along http 200 status) may sent. you can't that. what can perform check before call template.execute() . in trivial case should enough call somefunc() , check return value. if choose path , return value of somefunc() c...
Read more