-
Notifications
You must be signed in to change notification settings - Fork 63
Require less permissions for Zappr #90
Comments
I agree with this ... I don't really feel comfortable with giving some application write access to all my repositories, or admin access to hooks (for all my repositories). (Even if that application is hosted by Zalando, which I know is trustworthy.) It should be possible to request the permissions just for those repositories for which they are needed (I'm not installing zappr for all my private repos, just some Zalando ones), and just for the time it is needed. (The admin permissions are only needed while installing/uninstalling, right?) Do we really need write access to the repo to get the list of contributors? Could I remove that permission when not using this feature in my .zappr.yaml, and not using the branch creation feature? (I don't really see this branch creation thing as valuable – not every issue needs a branch, and often those branches should have a different name anyways, or will be on some forked repository.) |
Yeah, but the Github API doesn't work that way. Either we get access to all public repos or all public and private repos.
Yes, that would work. The main obstacle is that it would take some work to get the UX of all this right. |
Hmm, so Github has a too limited permission model here :-( (I did have a look to find if there is some public feature request tracker for Github, but didn't find any.) |
* #90 save wip * #90 recover mode via database if necessary * #90 env reducer for client * #90 no need to import all env * #90 make zappr_mode an enum * #90 remove react-cookie * #90 switch order with profile * #90 add some tests * #90 docs, tests * #90 fix migrations * #90 fix migrations again * #90 remove console.log * #90 add extended scopes to config * #90 documentation * #90 more documentation * #90 remove unused loggers, add image * #90 rename mode to access level * #90 rename upgrade/downgrade link * #90 new docs image * #90 do not commit changes of db settings * #90 rename /change-mode to /change-access-level * #90 change migrations as model.sync() will go away * #90 rename migration * #90 fix: addColumn args in migration
It should be possible to give Zappr only a minimal set of permissions initally and then upgrade.
Braindumping how it could work
User
(first* db migration!)X-OAuth-Scopes
response header.The text was updated successfully, but these errors were encountered: