OAuth scope and rights too permissive?

[jasonm]

We don't need read+write for private repos, and this is rightfully concerning to users:

UPDATE: We sure don't need repo, but it'd be nice to narrow public_repo to public_repo:status.

http://developer.github.com/v3/oauth/#scopes

[jasonm]

cc @jtimberman @freeformz @cbeams re our Twitter conversion about this.

[jasonm]

cc @ryanbrainard did we discuss (GitHub OAuth scope granularity) this yesterday? If so, do you know anything about it?

[jasonm]

I've contacted GitHub support to ask if we can have a public_repo:status OAuth scope.

[jasonm]

Also curious if @roidrage of @travis-ci, @dlowe of @circleci, or @semipermeable of @tddium know anything about this? Sorry for the CCfest, feel free to de-watch, but I heard this is a feature GitHub is reticent to add (hope I'm super wrong about that 😃 ) so I'm eager to either (1) see that this convo exists already somewhere or (2) get it started.

[jasonm]

Interesting: I have verified that only the public_repo scope is necessary, and that it gives authorization to update commit status for public repos. I'll fix accordingly.

[jasonm]

Side note: possibly clarify GH docs if that'd be helpful. github/developer.github.com@77c7f3c#commitcomment-2465391

[jasonm]

No more private repo access:

[cbeams]

Thanks for such a quick turnaround on this, @jasonm. I'll just mention that it may continue to be concerning to users when they see that ClaHub can update commits in public repositories. I'm still not sure myself whether this is actually something that ClaHub needs permission-wise—I would think it needs only access to Issues (and therefore Pull Requests). Perhaps I'm missing something, or perhaps this is just as fine-grained as GitHub's OAuth scopes can go?

In any case, can you verify whether ClaHub would ever actually "update commits" in a repository that uses it. And if so, why?

[jasonm]

Thanks for pushing on this Chris, very good point.

CLAHub creates "commit status" updates to indicate pass/fail at a
per-commit granularity with the
http://developer.github.com/v3/repos/statuses/ API.

GitHub itself actually rolls up the commit statuses to determine the status
of a pull (e.g. Each commit in the pull must pass, otherwise the whole pull
is failed.)

It could indeed suffice with a reduced oauth scope for only modifying the
status of commits on a public repo, but this scope doesn't exist in
GitHub's API.

CLAHub has no need to modify the contents of commits, only to set commit
status.
I'll follow up with GH.

On Sunday, January 20, 2013, Chris Beams wrote:

Thanks for such a quick turnaround on this, @jasonmhttps://github.com/jasonm.
I'll just mention that it may continue to be concerning to users when they
see that ClaHub can update commits in public repositories. I'm still not
sure myself whether this is actually something that ClaHub needs
permission-wise—I would think it needs only access to Issues (and therefore
Pull Requests). Perhaps I'm missing something, or perhaps this is just as
fine-grained as GitHub's OAuth scopes can go?

In any case, can you verify whether ClaHub would ever actually "update
commits" in a repository that uses it. And if so, why?

—
Reply to this email directly or view it on GitHubhttps://github.com/jasonm/clahub/issues/17#issuecomment-12487647.

Jason Morrison
415.297.6376
@jayunit http://twitter.com/jayunit
skype:jason.p.morrison

[jasonm]

Followed up.

[jtimberman]

🤘 thanks @jasonm!

[jasonm]

To update, we're currently using the least permissive ("best") GitHub OAuth scope we're able to.

[cbeams]

Thanks, Jason!

On Feb 17, 2013, at 1:07 AM, Jason Morrison notifications@github.com wrote:

To update, we're currently using the least permissive ("best") GitHub OAuth scope we're able to.

—
Reply to this email directly or view it on GitHub.

[jasonm]

Thinking more on this, we only need this scope for people who make agreements. People who are signing agreements really only need their identity provided by GitHub, so we should be able to only ask for the (no scope) "Public read-only-access" GitHub OAuth scope. I've added a new issue #54 for this. I'll keep this issue #17 open in case there's ever a public_repo:status scope, which would be the ideal (most restrictive) scope for people who create agreements.

[ferventcoder]

Can this be closed? #101 (comment)

[genevec]

Yup. Closing! See #101.