GitHub OAuth scope public_repo allows broad access #816

Closed
pdurbin opened this Issue Feb 22, 2015 · 2 comments

Comments

Projects
None yet
2 participants
@pdurbin

pdurbin commented Feb 22, 2015

It looks like commit e646a45 added the GitHub OAuth scope public_repo which seems to allow broad access to users' personal repos and (potentially) to repos of organizations they are members of.

The description of the public_repo scope at https://developer.github.com/v3/oauth/#scopes is "Grants read/write access to code, commit statuses, and deployment statuses for public repositories and organizations."

When I click "Authorize on GitHub" from http://prose.io I see the text below:

"This application will be able to read and write all public and private repo data. This includes the following:

  • Code
  • Issues
  • Pull requests
  • Wikis
  • Settings
  • Webhooks and services
  • Deploy keys"

And under "Organization access" I see "This organization allows the application to access organization data as described in the permissions above."

All this access being requested seems rather broad to me and I'm not sure if this is intentional. Prose will be able to write to settings and deploy keys? Here's a screenshot:

prose

@mikemorris

This comment has been minimized.

Show comment
Hide comment
@mikemorris

mikemorris Feb 23, 2015

Member

This is actually narrower than the repo scope which was the only option before this change, and AFAIK this is the narrowest available scope that allows Prose to read and write to repositories.

Member

mikemorris commented Feb 23, 2015

This is actually narrower than the repo scope which was the only option before this change, and AFAIK this is the narrowest available scope that allows Prose to read and write to repositories.

@mikemorris mikemorris closed this Feb 23, 2015

@mikemorris mikemorris added the wontfix label Feb 23, 2015

@pdurbin

This comment has been minimized.

Show comment
Hide comment
@pdurbin

pdurbin Feb 23, 2015

See also the comment by @arfon in reference to a related blog post I made yesterday. He talks about how scopes are limited but I still find the screenshot above terrifying. But whatever. :)

pdurbin commented Feb 23, 2015

See also the comment by @arfon in reference to a related blog post I made yesterday. He talks about how scopes are limited but I still find the screenshot above terrifying. But whatever. :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment