Hacker News new | past | comments | ask | show | jobs | submit login

Maybe because the app could be a mail client? If I downloaded a mail client and it wasn't able to delete my email I'd think it was a pretty crap piece of software. The same as I'd expect if I wanted a fully featured mail client to connect via IMAP.

I'd also feel a bit annoyed if a Twitter client I was using was unable to delete tweets, and I had to go back to the Twitter website to do that.

The thing about making APIs to let other people interface with your product is that you have to expose all the functionality of that product, or there's not really any point.

There are some fair comments in this thread saying that the "manage" permission is significant enough that it should be flagged a bit (or a lot) more strongly than the common "identify" permission, but personally I don't think the point of the API is something that needs questioning.

There's a very common case for exposing only a subset and that's granting read-only access.

That seems to be just what OP expected - he says "I exported my recent e-mail history to Fleep, a collaboration platform used by a new client, and let their software synchronize future e-mails".

So why, based on this, would he feel good about granting permission for something to delete his email? (even ignoring possible confusion over the meaning of "manage"). Delete != read-only.

His first thought should have been "is this too much access"? A quick Google search would have led him to https://developers.google.com/identity/protocols/googlescope..., where he could have seen that indeed there is a read-only scope for access to gmail (https://www.googleapis.com/auth/gmail.readonly).

Obvious conclusions he should have drawn - either: 1) Fleep is poorly or maliciously written, and requires overly dangerous OAuth scopes 2) His understanding of Fleep is wrong, and Fleep intends to do more than just read his emails

I don't know which is true, but he should have investigated before hitting the Internets with his tail of woe.

But at the end of the day, everything worked as it should, and we can probably assume that Fleep does what it says - its simply that he rushed past a warning dialogue.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact