broad oAuth privileges #24
Comments
|
I’m not sure what we could meaningfully warn staff about that would help. As the commentary in the dear-github thread points out, this issue is Github’s alone to solve through the introduction of finer-grained permissions. Precog and other applications like Waffle and CircleCI need read access to private Mapzen repos for us to do our work, and the overly-broad I’ve added my hopefully-meaningful two cents there. |
|
@migurski it seems that there is a way to ask for a smaller/read-only scope as per this comment https://github.com/ZenHubIO/support/issues/77#issuecomment-70107147 |
|
I just noticed this when trying to auth to see WIP content for the search page, in that case I assume it just needs to confirm that I am a mapzen employee? |
|
That's public-only, though. Our blog and other repos are private with private data, so Precog needs permission to see that. |
|
Closing this, with merge of #46. |
I think (hope!?) this oAuth prompt is only for internal Mapzen employees.
Asking for full privileges such as this is a security risk and a pretty serious attack vector against mapzen-linked github accounts.
We should also be informing staff that approving 3rd party oAuth prompts of this nature is very insecure as the 3rd party app would be granted pull/push/admin access to our private repos and profiles which bypasses the 2 factor auth we have set up.
There is a long standing discussion thread for another product going on over here:
https://github.com/ZenHubIO/support/issues/77#issuecomment-60073982
cc/ @heffergm @baldur
The text was updated successfully, but these errors were encountered: