Allow GitHub App installation tokens in gists-related endpoints #126039
Unanswered
Minosity-VR
asked this question in
API and Webhooks
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Select Topic Area
Question
Body
Gists-related endpoints cannot be currently queried by an app through an installation token, even though some of them are available without any authentication (the one to list user's public gists for instance, or the one to query all public gists).
If you still try to query this endpoint, you will get an 403 error
and the returned
X-Accepted-Github-Permissions
header that is supposed to help you understand if there is a misconfiguration contains an undocumentedallows_permissionless_access
(I couldn't find anything online).In this example I had an installation token with the authorisation to list the org members (working fine), but I couldn't retrieve the public gists afterward:
Is this the expected behaviour? I don't see any reason to block an app from doing something that can be done without any authentication
For instance for repositories, there are two endpoints, one to query repos of the authenticated user that cannot be queried with an installation token, and one to retrieve public repos of an user, that can be queried with such a token.
I think the same logic could be applied to gists, the public-gists endpoint should have the same permissions
Thanks!
Beta Was this translation helpful? Give feedback.
All reactions