Private group assignment repositories can still be cloned by anyone in the classroom organization

[ajarmst]

Result is that student groups can easily see each other's code in even private repo assignments. Bug?

[ajarmst]

Never mind. If you tunnel into the settings for the classroom organization, you can modify the default rights from "read" to "none".

[johndbritton]

@ajarmst You shouldn't need to modify team settings in your organization. Can you describe the issue you had step by step, what the results you expected were, and what the actual results were?

That'd be really helpful in determining if this is a bug and something that needs to be fixed.

[tarebyte]

@johndbritton with the new organization permissions there are now different levels of repository permissions.

Setting the level of permission to read and above allows all users access to all repos on the org even the private ones.

In order for them to be visible to just the admins and the teams/collaborators that work on them you need to set the permission level to none

[johndbritton]

@tarebyte I think this might answer the question of creating teams in #312 for us. If we stick to collaborators only, this will not impact the privacy of code.

[tarebyte]

I agree @johndbritton, setting everyone as outside collaborators will solve this issue.

[ajarmst]

Following the principal of "default to fewer permissions", perhaps the default repository permission for Classroom groups should be "None" rather than the current "Read".

[johndbritton]

@ajarmst Yes, I agree. We don't have a way to control that setting via the GitHub API, but we do have a solution in the works that will resolve this issue.

[johndbritton]

@ajarmst Thanks for reporting this, we're moving individual assignments to outside collaborators and we'll advise users with private group assignments to change this setting: #322