-
Notifications
You must be signed in to change notification settings - Fork 39
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Limit required access rights #101
Conversation
When registering a new repository, only request permission for those actions required by this application. This includes: > - `user:email` - Grants read access to a user’s email addresses. > - `repo:status` - Grants read/write access to public and private > repository commit statuses. This scope is only necessary to grant > other users or services access to private repository commit statuses > without granting access to the code. > - `admin:repo_hook` - Grants read, write, ping, and delete access to > hooks in public or private repositories. > - `admin:org_hook` - Grants read, write, ping, and delete access to > organization hooks. **Note:** OAuth tokens will only be able to > perform these actions on organization hooks which were created by > the OAuth application. Personal access tokens will only be able to > perform these actions on organization hooks created by a user. > - `read:org` - Read-only access to organization, teams, and > membership. [1] ...and is facilitated by the OmniAuth Github gem: > ### Scopes > > GitHub API v3 lets you set scopes to provide granular access to > different types of data: > > use OmniAuth::Builder do > provider :github, ENV['GITHUB_KEY'], ENV['GITHUB_SECRET'], scope: "user,repo,gist" > end [2] [1] GitHub API Documentation - OAuth: Scopes https://developer.github.com/v3/oauth/#scopes [2] OmniAuth-Github gem documentation https://github.com/intridea/omniauth-github#scopes
1689b44
to
040629c
Compare
Looks reasonable, I'm hoping to get a free evening soon to verify against a live server |
Great! Thanks for you help :) |
@jasonm I hate to bug you about this because I know it's a bit of a hassle, but it's the last piece we need to start using CLAHub for my project |
Hey @jugglinmike thanks for the ping. I spun up https://clahub-staging.herokuapp.com and tested:
Reference: jasonmtest/clahub-test#1 I'll merge this & deploy to prod shortly. |
Nice - any existing user may update their scopes by visiting https://www.clahub.com/auth/github (linked from the big blue front page "Sign in..." button) which brings up a screen like the following, indicating the reduction in scopes: Going forwards, new users will only be asked for these limited scopes. There is still the separation of signature-only limited scope -- Thanks for the PR @jugglinmike! |
\o/ |
Wow, GitHub has a really slick UI for managing OAuth rights. This is working perfectly for my project. Thanks a ton, @jasonm! |
@jasonm I don't have a deployed version of this application running, so I haven't been able to test this. Would you mind manually verifying that it works? Sorry, I know it's kind of a hassle, but I can't think of an automated way to ensure this actually works.
Commit message: