jason/google-mcp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add tasks:manage permission level to deny delete without blocking other writes

Browse Source 
The consolidated manage_task tool bundles create/update/delete/move into a
single tool, making it impossible to deny just the delete action via tool
tiers or scope-based filtering.

This adds:
- A `manage` permission level for tasks (between readonly and full)
- A SERVICE_DENIED_ACTIONS registry mapping (service, level) to denied actions
- An is_action_denied() helper that tools call before executing actions
- Guards in manage_task and manage_task_list that reject denied actions

Usage: --permissions tasks:manage
Allows create, update, move. Denies delete.
tasks:full remains unchanged (all actions allowed).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
mickey-mikey
2026-03-04 15:04:31 +11:00
parent 89e1974984
commit 377791080c
4 changed files with 99 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
gtasks/tasks_tools.py
View File

@@ -13,6 +13,7 @@ from googleapiclient.errors import HttpError # type: ignore
from mcp import Resource
from auth.oauth_config import is_oauth21_enabled, is_external_oauth21_provider
from auth.permissions import is_action_denied
from auth.service_decorator import require_google_service
from core.server import server
from core.utils import UserInputError, handle_http_errors
@@ -314,6 +315,11 @@ async def manage_task_list(
f"Invalid action '{action}'. Must be one of: {', '.join(valid_actions)}"
)
if is_action_denied("tasks", action):
raise UserInputError(
f"The '{action}' action is not allowed under the current permission level."
)
if action == "create":
if not title:
raise UserInputError("'title' is required for the 'create' action.")
@@ -881,6 +887,11 @@ async def manage_task(
f"Invalid action '{action}'. Must be one of: {', '.join(valid_actions)}"
)
if is_action_denied("tasks", action):
raise UserInputError(
f"The '{action}' action is not allowed under the current permission level."
)
if action == "create":
if status is not None:
raise UserInputError("'status' is only supported for the 'update' action.")