aboutsummaryrefslogtreecommitdiffstats
path: root/community/kaccounts-providers/fix-online-accounts-google.patch
blob: e303e5ce248121ca4ed82d486216d837fc292653 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
From 0a71da4e3caae0defe200a85954fc7e2012010c1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20Vr=C3=A1til?= <dvratil@kde.org>
Date: Mon, 13 Jan 2020 13:48:37 +0100
Subject: Google provider: limit requested OAuth scopes

Summary:
Limit the scopes to what is actually permitted in the Google App settings:
contacts and calendars for future PIM integration, GDrive for KIO-GDrive,
and Youtube (upload-only) for the Purpose sharing plugin. We can extend
this in the future if needed easilly, it's easier for us to get the
Google App verified if we can proof and show how the individual scopes
are used by KDE.

Reviewers: elvisangelaccio, bshah

Reviewed By: elvisangelaccio, bshah

Differential Revision: https://phabricator.kde.org/D26454
---
 providers/google.provider.in | 13 +++----------
 1 file changed, 3 insertions(+), 10 deletions(-)

diff --git a/providers/google.provider.in b/providers/google.provider.in
index 638c1a9..97307af 100644
--- a/providers/google.provider.in
+++ b/providers/google.provider.in
@@ -21,22 +21,15 @@
                order to return a refresh token -->
           <setting name="ResponseType">code</setting>
           <setting name="Scope" type="as">[
-              'https://docs.google.com/feeds/',
-              'https://www.googleapis.com/auth/googletalk',
-              'https://www.googleapis.com/auth/youtube.upload',
-              'https://www.googleapis.com/auth/youtube',
               'https://www.googleapis.com/auth/userinfo.email',
               'https://www.googleapis.com/auth/userinfo.profile',
-              'https://picasaweb.google.com/data/',
               'https://www.googleapis.com/auth/calendar',
-              'https://www.google.com/m8/feeds/',
               'https://www.googleapis.com/auth/tasks',
+              'https://www.google.com/m8/feeds/',
               'https://www.googleapis.com/auth/drive',
-              'https://www.googleapis.com/auth/drive.file',
-              'https://www.googleapis.com/auth/drive.metadata.readonly',
-              'https://www.googleapis.com/auth/drive.readonly'
+              'https://www.googleapis.com/auth/youtube.upload',
           ]</setting>
-          <setting name="AllowedSchemes" type="as">['https','http']</setting>
+          <setting name="AllowedSchemes" type="as">['https']</setting>
           <setting name="ClientId">317066460457-pkpkedrvt2ldq6g2hj1egfka2n7vpuoo.apps.googleusercontent.com</setting>
           <setting name="ClientSecret">Y8eFAaWfcanV3amZdDvtbYUq</setting>
           <setting name="ForceClientAuthViaRequestBody" type="b">true</setting>
-- 
cgit v1.1