OAuth scopes by repository (or organization) #731
Comments
|
Yes, this is a massive pain, which prevents usage of OAuth apps in one organisation you're a member of when you can't or don't want to get approval from all the organisations you're in to give access to the app in question. Here's an example of the problem:
Here I want to test out GerritHub on a few repositories before potentially recommending that one or more organisations I'm in should adopt it. But it wants to automatically grant access of the OAuth app to all organisations which haven't enabled third-party application access restrictions. For the organisations I'm an admin of, I could enable this restriction, e.g.:
but for the other organisations which don't yet have the restriction enabled, I would have to ask the admins of those organisations to enable third-party access restrictions before I could safely authorise the app without giving it unwanted access. Readers might wonder why automatically giving out unneeded access to an organisation is a problem if that organisation didn't explicitly enable third-party access restrictions. Taking the example of the GerritHub app above, one of the permissions it asks for is It is worth emphasising that this is not a flaw with GerritHub, only with GitHub's permissions model. And it may even be possible for GerritHub to find a workaround for the problem. But GerritHub was just chosen as an example to illustrate the problem here; it could apply for any OAuth app. |
|
@aspiers thanks for raising this. We are planning to introduce an "Individual Maintainer" scope that would NOT require read:org. However, some of the GerritHub features won't be available, like the resolution of GitHub Teams in Gerrit ACLs. It would be great if GitHub could allow to choose which organisations to share with GerritHub :-) |
|
According to houndci/hound#925 (comment) apparently moving to GitHub Apps would allow per repo specific permissions. Would this be another option for apps like GerritHub? (Although I appreciate it would presumably be a much bigger change.) |
|
@lucamilanesio commented on 14 Jun 2018, 21:40 BST:
Looks like this has been done: GerritHub.io and the new Reviewer role | GerritForge Blog |
|
@aspiers yes, and still allows to push changes to personal public ptojects on Gerrit ... they won’t be replicated back to GitHub unless you grant a public:repo scope. Code review will work fine on Gerrit though |
TPS
added
organizations
permissions
authentication
When an application using the API requests permissions from me and wants be able to do stuff with one repository, it has to request access to all repositories I have access to (whether I'm the owner or just member of an organization related to it).
E.g. Zappr (a PR approval tool) currently needs read + write access to all repositories, and admin-access to the hooks, though I only want to configure it for one repository. (Related: zalando/zappr#90)
The OAuth flow should allow to request (and give) access for just one specific repository, instead all of them.
(Same is valid for organization-level permissions.)
The text was updated successfully, but these errors were encountered: