I am writing a Github App that is able to create repositories in an installation.
When the App acts on behalf of an authenticated user, I would like to check that the user can (by themselves) create a repository in the org.
I have spent a lot of time on GitHub's API docs, but I cannot find the answer.
My first thought was that this info should be available in the endpoint /user/installations. The endpoint lists the installations that the user can access (either as a member of an organization or as an external collaborator). However, the permissions returned with each entry are actually the permissions for the App, not for the user. So, this is a dead end.
Another direction was looking at the (public+private) organizations of the user using /user/orgs.
(This does not seem the right direction because as an App I would expect to operate only on installations...)
With this endpoint, I can get all the organizations of the user. However, I don't get whether they can create repos and/or what the role of the user is in the organization.
Should I use the teams/roles part of the API?
My App doesn't ask for the members suite of permissions so I would like to avoid this road.
At this point, the only workarounds are:
Try to create the repo as the user, take note if it fails. Bad solution because I don't want to tell the user that they can create a repo if they can't.
In the background, try to create a repo as the user to check if it possible. If it is, delete the repo. This works but it seems an ugly workaround.
Any suggestion?
Related
I am tasked to help automate the workflow related to automating a few tasks related to management of our organization account on GitHub. For example, add and remove users from the org, create new repos, add external collaborators etc. The requests for this actions will come from a system where a user fill in a form and this system will curl to the GitHub API after the request is reviewed and approved.
By reading the GitHub API documentation I can set up the curls for this, but I am unsure about authentication best practices. My first idea would be to create a user account specific for this use case, make it admin for the org, and create an OAuth token with scopes needed to be allowed to make this requests. However, it feels a bit too hacky to create an individual account for something that is not an individual, and then make it admin of the whole organization.
Is there a better way to approach this?
Objective: Allow different clients access to only read/pull from my private repo.
Overview:
Listed are the different options that I am aware of:
I could invite the clients and give them access to the Basic access level but do know what to have to pay for different users just to read/clone from the repo.
I could create a single user with Basic access level and then create git access tokens for them individually. However, I did not see a way to restrict the access tokens to be project/repo specific. Instead, the access tokens create had the same privileges as the created user.
Question: What is the best practice to provide access to an external user to only access the private Azure DevOps repo?
Note: I have seen this link and did not know if there were other options.
To make the user only have read access to all repos in one project:
You may consider making the user a reader instead of contributor or Project Administrators, so the user can have only read access to the repos in one project.
Organization Settings=>Users(General)=>Manage user=> select Project reader.
More details about project readers you can check this document.
To make the user only have read access to one special repos in one project:
We can control related permissions from Project Settings=>Repositories(Repos)=>Version Control Administrators:
Hope all above helps :)
I am using Github Enterprise v2.13.5 and want to activate dormant users. Currently Github automatically activates the dormant user when they log back in. But I need to explicitly activate all dormant users
The /users API does not tell us whether a User is dormant or not. There are some manual workarounds for at least identifying the inactive users , but most that I found are not feasible in practice.
If you do not need any information on which user was dormant, you could write a little script that automatically creates impersonation tokens for each user and (in their name) do one arbitrary action on Github:
With your account, create a project [yourname]/un-dormant-project
For each known user (get via /users API):
a. Create an impersonation token
b. In the name of the user, perform an arbitrary action on [yourname]/un-dormant-project
c. Delete impersonation token
I assume that you must not delete the project you created because otherwise the users will become dormant again very quickly.
Disclaimer: I did not try this approach out.
We've set up a Github app so that it automatically forks a repository for another individual Github user using the Github API. Now we're running into a problem that not everyone wants to give us full read access to all of their private repositories since sometimes they contain sensitive data.
Is there a way to only get read/write permission to a single repository and not the individual's entire account?
Unfortunately, this is not available yet. This feature is still under development as you can see in the Gihub Apps roadmap (and note that I am talking about Github Apps, not OAuth Github Apps). I don't know if this will ever be possible in OAuth Apps but it seems that it might in Github Apps.
There is already a discussion about this at the dear github repository. You should check for news there.
Is there a way to only get read/write permission to a single repository and not the individual's entire account?
Not that I know of: it is easier to setup a new dedicated GitHub account where you would recreate the private repos you want to give access to.
In that new account, you can consider all the private repos can be accessed.
You would keep the really private ones (with sensitive information) in your original GitHub account.
I believe you're looking for X-OAuth-Scopes. This is a well-defined header so that you may restrict your access scope to, for example, public repositories only.
The github developer documentation here says:
... space-delimited list of scopes. If not provided, scope defaults to an empty list for users that have not authorized any scopes for the application. For users who have authorized scopes for the application, the user won't be shown the OAuth authorization page with the list of scopes. Instead, this step of the flow will automatically complete with the set of scopes the user has authorized for the application. For example, if a user has already performed the web flow twice and has authorized one token with user scope and another token with repo scope, a third web flow that does not provide a scope will receive a token with user and repo scope.
Using this link I can see that my (tonylampada) id on github is 218821
https://api.github.com/users/tonylampada
How could I do the opposite? Given the user id = 218821, what's the username?
Update
Answering nulltoken here because it's a long story and it won't fit in a comment.
FreedomSponsors is a django application that uses django-social-auth to enable login with Github (and others).
(You should check it out, btw, please see the about page in the blog :-)
Django-social-auth has a configuration flag that allows the application to store the github username on the database.
A few days ago I deployed a new version of FS with github login enabled, but with "storeGithubUsername" set to false.
A few users registered their github accounts, and now the database has their github ids, but not their usernames.
You can se in my profile that I have github as a "connected account" but there's no link to my github page.
I need it to make the link point to https://github.com/tonylampada
I'm ready to deploy a new version that fixes this, by setting the "storeGithubUsername" (that's not what it is called, I'm just simplifying here) to true.
But I'd like to patch the database with the already github-registered users. I have their github ids, but not their github usernames.
We need to do this on Gitter to deal with the situation where a user has changed their username on GitHub and we get a 404 response when querying their old username.
Here's an undocumented endpoint, so use as your own peril, but it does work for now.
Use the endpoint: https://api.github.com/user/:id, where :id is the ID of the user.
Similar endpoints exist for repos and orgs, at
https://api.github.com/repositories/:id and https://api.github.com/organizations/:id respectively.
Note that the new repository redirects preview API only supports repositories, not renamed users or organizations. In fact, the HTTP 301 redirect actually points to https://api.github.com/repositories/:id, so there's a good chance that these "ID" endpoints may in fact become official soon.
There's no documented feature, nor undocumented ones that I know of, that expose the retrieval of the username from the id. From the GitHub API consumer perspective, the user id is an "implementation detail". The real key is the username.
From what I understand, you only require a batch of usernames given a list of ids. And this would be a one time only request, not a permanent need.
As your request seems legit and limited in its scope, you might get this answer directly from GitHub support by dropping them an email at support#github.com.
Indeed, xpaulbettsx, a GitHubber, even tweeted about this:
Support# is good for Anything you want to tell GitHub - bugs, features, high 5s; everything but security which go to security#
By the time I answer this question, the method that works is:
https://api.github.com/user/USER_ID
Remark: It is similar to what Andrew shared in 2015; you just have to remove the colon in the URL he shared.