-
-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Github backend requires full organization account access #4329
Comments
Thanks @cbix, we are currently limited by the available scopes for OAuth apps provided by GitHub: It would be amazing to limit the access to a specific repo, but that's not available at the moment |
Thanks @erezrokah for the quick reply. I had the same issue when evaluating forestry.io so I already considered it an issue with GitHub's API, however with their server-based solution there's the possibility of using deploy keys, which is probably not possible over the web-based API that netlify-cms uses... |
Got this response from the GitHub Developer Support:
I guess implementing a server-side GitHub app that provides API tokens to the client-side netlify-cms app means a significant amount of work. Also it seems like GitHub apps behave like a separate user so a big open question is if and how it's possible to a) authenticate a Github user towards the app and b) let the netlify-cms frontend create commits in the name of the authenticated user, without going through any server-side code and while still keeping the (very useful) possibility to restrict some users to only creating pull requests on the repo. |
Great follow up @cbix, very good to know GitHub is moving on this. |
Netlify CMS still require full access to all repos, its not nice. |
This is a huge issue, obviously. I can't grant Netlify access to every organization I'm a part of. |
Hi @austinschrader, to clarify Netlify doesn't require access to every organization. Netlify CMS (which acts as a GitHub client) requires repo access since it modifies repo files to manage content. That access can't be scoped to a specific repo due to the limitations specific #4329 (comment) (those are on GitHub's side). We'd be happy to change the CMS implementation once GitHub supports better scoping. |
@erezrokah I saw few web apps asking for individual repo access (request access for repo on project basis). |
Hi @prakis, can you share those? |
Ya sure. https://Railway.app These are some apps which use only selected repositories. |
I tested this one and it installs a GitHub application on your organization: GitHub apps do provide better granularity for permissions, but I don't think they can be used in a headless environment like the CMS. See https://docs.github.com/en/developers/apps/getting-started-with-apps/differences-between-github-apps-and-oauth-apps |
I can't trigger Netlify CMS to ask my github org for permission. We cannot publish articles but we can access the netlify CMS admin page no issue. Nothing is prompting for access in my Org settings |
Still a problem for me ; I cannot let my private repositories accessed at Netlify login time, it would be too problematic in my case. I wonder if offering an alternative with PAT (personal access tokens) which can now be restricted to specific repositories (https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) if I understand correctly, could be a nice solution. At the moment, though, I cannot use Netlify on some important projects because of this limitation. |
Until we get a working solution with PATs, it seems creating a new github account, and essentially using it as a "machine user": is at least a workable option. Create a new user and then only invite that user to cms repos it should be able to access, and create the oauth credentials under that user as well. You can reuse your existing email with the "+" hack, like "myemail@email.com" becomes "myemail+github-myproject-cms-etc@email.com" so you don't need new email accounts just to make these machine user accounts on github |
Maybe I'm misreading things, but https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/scopes-for-oauth-apps#available-scopes suggests that there is a scope called |
Is there a reason we can't use GitHub Apps for this? Edit: See #7108 |
Describe the bug
We want to keep a static site project in a private github repo inside our organization and use netlify-cms for content management. However, the OAuth backend requires full read/write access to all repos of that organization and a more fine-grained selection of grants is not possible.
To Reproduce
github
backend for netlify-cmsExpected behavior
One would expect that it's possible to restrict netlify-cms access to only the relevant repositories (just like it's possible when setting up a Netlify site from Github).
Screenshots
![Screenshot from 2020-09-17 17-39-35](https://user-images.githubusercontent.com/1295945/93495753-c220a880-f90e-11ea-86b3-2eae544ce1e2.png)
Applicable Versions:
CMS configuration
Additional context
I am aware that this issue might not be directly related to netlify-cms but to either the Netlify API or the Github OAuth API. Please let me know if I should report this upstream instead, thanks!
Our current workaround is creating a separate Github organization with a single private repo and granting the Netlify Auth Service full access to this organization.
The text was updated successfully, but these errors were encountered: