GMail API超级管理员通过API访问其他用户帐户？

本文介绍了GMail API超级管理员通过API访问其他用户帐户？的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

自2009年初起，我的机构正在运行Google Apps for Education。我负责创建，删除，修改学生电子邮件帐户等。我已将所有现有的C＃应用程序从GData转换为新的Admin SDK - 生活很好。

上周，其中一个部门向大约800名发生错误的学生发送了一封电子邮件。我被问到是否可以创建一个能够移除800学生收件箱电子邮件的快速应用程序。

使用我的超级管理员域帐户，我能够使用Gmail API创建应用程序进入我的收件箱并选择符合特定标准的特定电子邮件;例如： from：xxxx@domain.edu AND是：未读AND主题：test 我能够返回一组消息ID，然后我可以从收件箱中删除它们 - 很棒！

由于我能够在收件箱中做到这一点，我想我会进行另一项测试，并插入这800个电子邮件地址中的一个，并获得相同的结果。不幸的是，我收到了以下错误消息：

我确实在账户代表处阅读了一些内容，但这需要我的超级管理员帐户和接受该帐户的学生发送请求。

可以这是域名的超级管理员在除了他们自己的任何收件箱上没有这些权限？我尝试阅读帖子和Google的文档，但似乎无法找到有关此主题的答案。

在此桌面应用程序的开发人员控制台中启用了Gmail API。

我使用的服务帐户已获得授权，并在C＃应用程序中使用了正确的作用域：

Scopes = new [] { https://mail.google.com， GmailService.Scope.GmailCompose， GmailService.Scope.GmailInsert ， GmailService.Scope.GmailLabels， GmailService.Scope.GmailModify， GmailService.Scope.GmailReadonly， GmailService.Scope.MailGoogleCom， https：// www.googleapis.com/auth/userinfo.email， https://www.googleapis.com/auth/userinfo.profile}，
我的C＃代码：
列表与LT; Google.Apis.Gmail.v1.Data.Message> result = new List< Google.Apis.Gmail.v1.Data.Message>（）; UsersResource.MessagesResource.ListRequest请求= GoogleToken.GoogleService（）。Users.Messages.List（xxxxx@domain.edu）; request.Q =from：xxxx@domain.edu AND is：未读AND subject：test; do { try { ListMessagesResponse response = request.Execute（）; result.AddRange（response.Messages）; request.PageToken = response.NextPageToken; catch（Exception eX） { Debug.WriteLine（Error：+ eX.Message）; $！ $ b while（！String.IsNullOrEmpty（request.PageToken））; Debug.WriteLine（完成）; Debug.WriteLine（result）;

解决方案
>你自己并访问其他邮箱，即使你是域中的管理员也是如此。但是，作为域管理员，您可以将您的应用列入白名单，以访问该域中的所有用户。它涉及使用具有域范围委派的服务帐户。您需要在Google Apps面板中将您的应用列入白名单，并使用稍微不同的验证流程。请参阅：

虽然确实发生了电子邮件错误，但请让他们回复以纠正错误信息。即使可能，从邮箱中删除电子邮件似乎是一个非常糟糕的想法（如果您有错误并删除错误的邮件，会发生什么情况！） - 有人尝试用推理说有关这个想法的人？ :-D已经看过电子邮件的用户可能会担心/困惑，当它刚刚消失等。

My institution is currently running Google Apps for Education since early 2009. I’m responsible for creating, deleting, modifying, etc. , student email accounts. I’ve converted all my existing C# applications from the GData to the new Admin SDK - life is good.
Last week one of the departments sent out an email to roughly 800 students that contained an error. I was asked if it’s possible to create a quick application that is able to remove the email for the 800 students inbox.
Using my "Super Admin" domain account I was able to create an application using the Gmail API to go into my inbox and select particular emails that matched a specific criteria; example: from:xxxx@domain.edu AND is:unread AND subject:test I was able to return a collection of message id’s which then I can delete them from the inbox – GREAT!
Since I was able to do this on my inbox I figured I’d conduct another test and plug in one of those 800 email addresses and get the same result. Unfortunately I received this error message:
I did read something on account delegation but that would require a request being sent from my "Super Admin" account and the student accepting it.
Could it be that the "Super Admin" of the domain doesn’t have these permissions on any inbox except for their own? I’ve tried reading posts and Google’s documentation but I cannot seem to find an answer on this topic.
The Gmail API is enabled in the developers console for this desktop application.
The service account I’m using is authorized and in the C# application is using the correct Scopes:
Scopes = new[] { "https://mail.google.com", GmailService.Scope.GmailCompose, GmailService.Scope.GmailInsert, GmailService.Scope.GmailLabels, GmailService.Scope.GmailModify, GmailService.Scope.GmailReadonly, GmailService.Scope.MailGoogleCom, "https://www.googleapis.com/auth/userinfo.email", "https://www.googleapis.com/auth/userinfo.profile"},
My C# Code:
List<Google.Apis.Gmail.v1.Data.Message> result = new List<Google.Apis.Gmail.v1.Data.Message>(); UsersResource.MessagesResource.ListRequest request = GoogleToken.GoogleService().Users.Messages.List("xxxxx@domain.edu"); request.Q = " from:xxxx@domain.edu AND is:unread AND subject:test "; do { try { ListMessagesResponse response = request.Execute(); result.AddRange(response.Messages); request.PageToken = response.NextPageToken; } catch (Exception eX) { Debug.WriteLine("Error: " + eX.Message); } } while (!String.IsNullOrEmpty(request.PageToken)); Debug.WriteLine("Done"); Debug.WriteLine(result); }
解决方案
You cannot authenticate as yourself and get access to other mailboxes, even if you are an admin in the domain. HOWEVER, as a domain admin, you can whitelist your app to access all users in the domain. It involves using a service account with domain wide delegation. You need to whitelist your app in the Google Apps Cpanel and use a slightly different auth flow. See:https://developers.google.com/identity/protocols/OAuth2ServiceAccount#delegatingauthority
Though really, email mistakes happen, just have them reply with a followup to correct the misinformation. Going and deleting the email from their mailbox, even if it's possible, seems like a really bad idea from a "user trust" perspective (what happens if you have a bug and delete the wrong mail!)--has someone tried reasoning with said person about this idea? :-D Users that have already seen the email may be worried/confused when it just disappears, etc.

这篇关于GMail API超级管理员通过API访问其他用户帐户？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！