Skip to content

fix: remove sensitive send scope from reply and forward shortcuts#92

Merged
infeng merged 2 commits intolarksuite:mainfrom
infeng:fix/remove-send-scope-from-reply-forward
Mar 30, 2026
Merged

fix: remove sensitive send scope from reply and forward shortcuts#92
infeng merged 2 commits intolarksuite:mainfrom
infeng:fix/remove-send-scope-from-reply-forward

Conversation

@infeng
Copy link
Copy Markdown
Collaborator

@infeng infeng commented Mar 30, 2026
edited
Loading

Summary

The mail:user_mailbox.message:send scope is sensitive and may
not be granted
in all environments. Since +reply, +reply-all, and +forward
default to
saving drafts (which only requires message:modify), this scope
should not be
a prerequisite for using these shortcuts. When --confirm-send is
used, the
send scope is now validated dynamically in the Validate phase,
preventing the
"draft created but send failed" scenario.

Changes

  • Remove mail:user_mailbox.message:send from static Scopes in
    mail_reply.go,
    mail_reply_all.go, and mail_forward.go
  • Add validateConfirmSendScope() in helpers.go — when
    --confirm-send is set,
    checks the token for send scope and fails early with a clear
    hint if missing
  • Remove the scope from the test token in mail_shortcut_test.go
  • Update the login scope example in lark-mail-reply.md skill
    reference
  • Add regression tests covering +reply, +reply-all, +forward
    with
    --confirm-send when token lacks send scope
  • mail_send.go retains the scope as it is explicitly designed
    for sending

Test Plan

  • go test ./shortcuts/mail/... all passed
  • TestConfirmSendMissingScopeReply+reply --confirm-send
    returns missing_scope
  • TestConfirmSendMissingScopeReplyAll+reply-all --confirm-send returns missing_scope
  • TestConfirmSendMissingScopeForward+forward --confirm-send returns missing_scope
  • Manual verification: +reply, +reply-all, +forward
    draft mode works without send scope granted

Related Issues

N/A

@infeng
fix: remove sensitive send scope from reply and forward shortcuts
1d7ee21 
Remove mail:user_mailbox.message:send from the required scopes of
+reply, +reply-all, and +forward shortcuts. This scope is sensitive
and may not be granted, while these shortcuts default to saving
drafts and do not strictly require it.
@CLAassistant
Copy link
Copy Markdown

CLAassistant commented Mar 30, 2026
edited
Loading

CLA assistant check
All committers have signed the CLA.

@infeng infeng added the bug Something isn't working label Mar 30, 2026
@chanthuang chanthuang self-assigned this Mar 30, 2026
@infeng infeng requested a review from chanthuang March 30, 2026 09:04
chanthuang
chanthuang previously approved these changes Mar 30, 2026
View reviewed changes
@chanthuang chanthuang removed their assignment Mar 30, 2026
@infeng infeng self-assigned this Mar 30, 2026
@infeng
fix: validate send scope dynamically when --confirm-send is set
e95de3d 
Add validateConfirmSendScope() to check mail:user_mailbox.message:send
in the Validate phase when --confirm-send is used, preventing the
"draft created but send failed" scenario. Add regression tests for
+reply, +reply-all, and +forward.
@infeng infeng merged commit ecf3209 into larksuite:main Mar 30, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chanthuang chanthuang chanthuang approved these changes

Assignees

@infeng infeng

Labels

bug Something isn't working

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@infeng @CLAassistant @chanthuang