-
Notifications
You must be signed in to change notification settings - Fork 38
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OAuth scope and rights too permissive? #17
Comments
cc @jtimberman @freeformz @cbeams re our Twitter conversion about this. |
cc @ryanbrainard did we discuss (GitHub OAuth scope granularity) this yesterday? If so, do you know anything about it? |
I've contacted GitHub support to ask if we can have a |
Also curious if @roidrage of @travis-ci, @dlowe of @circleci, or @semipermeable of @tddium know anything about this? Sorry for the CCfest, feel free to de-watch, but I heard this is a feature GitHub is reticent to add (hope I'm super wrong about that 😃 ) so I'm eager to either (1) see that this convo exists already somewhere or (2) get it started. |
Interesting: I have verified that only the |
Side note: possibly clarify GH docs if that'd be helpful. github/developer.github.com@77c7f3c#commitcomment-2465391 |
Thanks for such a quick turnaround on this, @jasonm. I'll just mention that it may continue to be concerning to users when they see that ClaHub can update commits in public repositories. I'm still not sure myself whether this is actually something that ClaHub needs permission-wise—I would think it needs only access to Issues (and therefore Pull Requests). Perhaps I'm missing something, or perhaps this is just as fine-grained as GitHub's OAuth scopes can go? In any case, can you verify whether ClaHub would ever actually "update commits" in a repository that uses it. And if so, why? |
Thanks for pushing on this Chris, very good point. CLAHub creates "commit status" updates to indicate pass/fail at a GitHub itself actually rolls up the commit statuses to determine the status It could indeed suffice with a reduced oauth scope for only modifying the CLAHub has no need to modify the contents of commits, only to set commit On Sunday, January 20, 2013, Chris Beams wrote:
Jason Morrison |
Followed up. |
🤘 thanks @jasonm! |
To update, we're currently using the least permissive ("best") GitHub OAuth scope we're able to. |
Thanks, Jason! On Feb 17, 2013, at 1:07 AM, Jason Morrison notifications@github.com wrote:
|
Thinking more on this, we only need this scope for people who make agreements. People who are signing agreements really only need their identity provided by GitHub, so we should be able to only ask for the |
Can this be closed? #101 (comment) |
Yup. Closing! See #101. |
We don't need read+write for private repos, and this is rightfully concerning to users:
UPDATE: We sure don't need
repo
, but it'd be nice to narrowpublic_repo
topublic_repo:status
.http://developer.github.com/v3/oauth/#scopes
The text was updated successfully, but these errors were encountered: