Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Github Write Permissions? #192

Closed
defensivedepth opened this issue Jun 30, 2020 · 10 comments
Closed

Github Write Permissions? #192

defensivedepth opened this issue Jun 30, 2020 · 10 comments

Comments

@defensivedepth
Copy link

Hello there!

I am attempting to submit a new license for inclusion to the license list, using the web form at http://13.57.134.254/app/submit_new_license/

It appears that I am required to give the SPDX Online Tools app write access to all of my public repos? Can you clarify why this permission would be needed for me to submit a web form?

Thanks!

image

@goneall
Copy link
Member

goneall commented Jul 1, 2020

@defensivedepth The online tools requires access in order to create an issue in the license-list-XML repository.

I don't know if write access is required or if there is a lesser permission would allow for an issue to be created.

If we can create issues without write access, I would be all for changing the permission request.

@goneall
Copy link
Member

goneall commented Jul 15, 2020

@defensivedepth @rtgdk Any ideas if it is possible to create an issue without write access? If not, let's close the issue since the legal team requires the issue to be submitted with the user's github username.

@rtgdk
Copy link
Collaborator

rtgdk commented Jul 16, 2020

@goneall We definitely don't need "Deploy keys", "Webhooks and Services", "Wikis" and "Code" permissions to create an Issue in the license-list repo. Can you update the github app permission and try to create a dummy issue?

@defensivedepth
Copy link
Author

Unfortunately I still don't see how I could give this app read/write access to the settings/issues/pull requests for all of my public repos - If you only need the email address, I would think you could just select that permission?

@goneall
Copy link
Member

goneall commented Jul 17, 2020

@rtgdk @defensivedepth I will experiment with the permissions. Since we are creating an issue on behalf of the user, I believe we will need more than email permission, but I'll do some experiments and find out if there is a reduced set that will work.

@goneall
Copy link
Member

goneall commented Jul 17, 2020

@rtgdk I did not find any settings for a finer grained access in the Github configuration. It looks like the scope of the request is set in the settings at

SOCIAL_AUTH_GITHUB_SCOPE = ['public_repo', 'user:email']

It is only asking for public repo and email.

Let me know if you know of a way to request finer grained permissions.

@rtgdk
Copy link
Collaborator

rtgdk commented Jul 17, 2020

@goneall Yeah, I tried a bunch of combinations but "public_repo" access is needed for Github Oauth apps. If we move to Github Apps, they have finer-grained permissions but Oauth apps seem to have a limited no of fixed permission with no way to modify the read/write access: https://developer.github.com/apps/building-oauth-apps/understanding-scopes-for-oauth-apps/#available-scopes
Opened an issue for moving to Github Apps #204 , but for the time being we would have to use this Oauth app perms only.

@defensivedepth
Copy link
Author

Thanks all for looking into this. You may want to consider modifying this particular workflow - you probably don't want to take on the risk of having your app have R/W access to user's public repos, just so that they can submit a request for inclusion of a new license.

At this point, I will submit my request via email -

@goneall
Copy link
Member

goneall commented Jul 17, 2020

@rtgdk Thanks for the research on this.

@defensivedepth Agree with reducing the permissions. Rather than email, you could submit an issue directly to the SPDX License List XML repo rather than using the online tools app.

@defensivedepth
Copy link
Author

@goneall Done, thanks!

spdx/license-list-XML#1075

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants