Simplify permissions

[elie222]

Summary by CodeRabbit

• Chores
  • Updated to version v2.20.3
  • Simplified email permission requirements by reducing read access scopes
  • Restricted contacts access to read-only mode

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Updated (UTC)
inbox-zero	Ready	Preview	Nov 18, 2025 0:02am

[coderabbitai]

Walkthrough

Three Microsoft Graph permissions were removed (Mail.ReadBasic, Mail.Read, Mail.Read.Shared) and contact permissions downgraded from write to read-only (Contacts.ReadWrite to Contacts.Read) across configuration and documentation files. Version incremented from v2.20.2 to v2.20.3.

Changes

Cohort / File(s)	Summary
Permission/Scope Updates README.md, apps/web/utils/outlook/scopes.ts	Removed three mail-related permissions (Mail.ReadBasic, Mail.Read, Mail.Read.Shared); replaced Contacts.ReadWrite with Contacts.Read when NEXT_PUBLIC_CONTACTS_ENABLED is enabled.
Version Bump version.txt	Incremented version from v2.20.2 to v2.20.3.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

• apps/web/utils/outlook/scopes.ts: Verify that the conditional logic change for Contacts scope correctly handles the NEXT_PUBLIC_CONTACTS_ENABLED flag and that removing mail scopes doesn't break downstream authentication flows.

Possibly related PRs

• Test with reduced scope #629: Modifies apps/web/utils/outlook/scopes.ts with similar mail scope removals and contact scope alterations.
• Uncomment outlook scopes #635: Updates the SCOPES array in the same file, managing Mail and Contacts permission configurations.

Poem

🐰 We trim the scopes with careful paw,
Mail reads fall away without flaw,
Contacts now read, no longer write,
Permissions narrow, permissions right,
v2.20.3 shines so bright! ✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Simplify permissions' directly and accurately reflects the main change: removing unnecessary mail permissions and changing contacts permission from read-write to read-only.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/outlook-permissions

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between bf758ac and 429dcff.

📒 Files selected for processing (3)

• README.md (1 hunks)
• apps/web/utils/outlook/scopes.ts (1 hunks)
• version.txt (1 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

apps/web/utils/outlook/scopes.ts (1)

apps/web/env.ts (1)

• env (16-244)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: cubic · AI code reviewer
• GitHub Check: test

🔇 Additional comments (3)

version.txt (1)

1-1: LGTM! Appropriate version bump.

The patch version increment is suitable for this permission scope simplification.

README.md (1)

229-229: Microsoft Graph contacts are read-only; permission change is safe and justified.

Verification confirms the application performs no contact write operations against Microsoft Graph. All contact-related functionality is read-only: profile data retrieval during authentication and contact search in compose. The scopes configuration already reflects Contacts.Read as the only Microsoft Graph contact permission in use. The documentation is accurate.

apps/web/utils/outlook/scopes.ts (1)

5-15: Scope changes verified as safe—no regression risk.

The shell script confirmed all Outlook API calls exclusively use /me/mailFolders endpoints, accessing only the signed-in user's own mailbox. The removed Mail.Read.Shared scope was never used, as your codebase contains zero references to shared/delegated mailbox patterns (e.g., /users/{id}/mailFolders).

Per Microsoft Graph documentation, Mail.ReadWrite implicitly includes read access for the user's own mailbox, making it a valid replacement for the removed read-only scopes. The contacts downgrade to read-only also aligns with actual usage—no write operations detected.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cubic-dev-ai]

No issues found across 3 files