fix(auth): stop TUI from unconditionally injecting cloud-platform scope#564
fix(auth): stop TUI from unconditionally injecting cloud-platform scope#564anshul-garg27 wants to merge 1 commit intogoogleworkspace:mainfrom
Conversation
The interactive scope picker force-injected cloud-platform after every selection, contradicting DEFAULT_SCOPES which deliberately excludes it. This broke org-restricted accounts with admin_policy_enforced errors. Now cloud-platform only appears when the user explicitly selects it in the picker, uses --full, or passes it via --scopes. Closes googleworkspace#562
🦋 Changeset detectedLatest commit: 86df4b6 The changes in this PR will be included in the next version bump. This PR includes changesets to release 1 package
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request addresses an issue where the Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request correctly addresses the issue of unconditionally injecting the cloud-platform scope during TUI-based authentication. The changes are well-targeted, removing the special handling for cloud-platform in scope_matches_service and the forced injection in run_discovery_scope_picker. The related tests have been updated appropriately to verify the new, correct behavior, and the unused PLATFORM_SCOPE constant has been cleaned up. The implementation is sound and effectively resolves the reported bug.
2 participants
Summary
The interactive TUI scope picker unconditionally injects
cloud-platformafter the user's selection (line ~835 inauth_commands.rs), even when the user only picked basic services like Drive or Gmail. This contradictsDEFAULT_SCOPESwhich deliberately excludescloud-platformto avoidrestricted_client/admin_policy_enforcederrors on managed Workspace accounts.Changes:
cloud-platforminjection after TUI selectioncloud-platformauto-pass-through inscope_matches_serviceso it's filtered like any other scope when--servicesis usedPLATFORM_SCOPEconstantcloud-platformremains available in the TUI picker as a selectable option and is still included when using--full. Users who need it can select it explicitly.Closes #562
Test plan
cargo test— 749 pass, 0 failcargo clippy -- -D warnings— cleanscope_matches_servicetest updated to verify cloud-platform is NOT auto-included