I'd like to create a GitHub app to display the current issues in a repository, organized by labels. The repositories under the organization are private, but my account has admin access. I've installed the app under my name. The API list-issues-for-a-repository is returning:
{
"message": "Not Found",
"documentation_url": "https://developer.github.com/v3/issues/#list-issues-for-a-repository"
}
I've set the app permissions as follows:
Repository permissions
Issues - Read-only
Metadata - Read-only
No access for everything else
Organization permissions
No access for all
User permissions
No access for all
Subscribe to events
Unchecked for all
Getting all the repos using /orgs/«org»/repos returns an empty array, meaning the private repositories aren't showing up, so there's likely a permission issue going on here, too.
Questions:
Do I need to install the app under the organization? The organization is not showing any installed apps, even though we're running Codacy and GitHub Desktop.
The app is not under the organization's Third-party access policy. Do I need to add it? I don't see any way to request permissions, and I don't know if GitHub apps work this way.
Do I need to include more permissions for the app? I just need read-only for the issues and don't want to expose more than I need.
First of all, confirmed it has to be a "GitHub App" and not an "OAuth App", because the API to list the issues in a repository is, according to the documentation, available only to GitHub Apps. I took an initial wrong turn, documented in the edit history of a previous related issue, of selecting an OAuth App, and getting nowhere.
As far as my specific questions:
Do I need to install the app under the organization? The organization is not showing any installed apps, even though we're running Codacy and GitHub Desktop.
Yes, it needs to be installed or added under the organization. It was easier for me to delete the existing app under my account, and re-add (vs re-install) under the organization.
The app is not under the organization's third-party access policy. Do I need to add it? I don't see any way to request permissions, and I don't know if GitHub apps work this way.
Once the app is added under the organization, it is automatically given access. You can fine tune which repositories it can access or let it access them all. Installing, as opposed to adding, might need a few more steps, and the app needs to be published first. My app is intended for the organization only, so I opted for the simpler solution. Also, even if you give the app access to all repositories, the access rights of whoever logs in take precedence. For example, someone outside of the organization won't see any private repositories.
Do I need to include more permissions for the app? I just need read-only for the issues and don't want to expose more than I need.
No, just read-only for issues, meta-data is included automatically.
With these revisions I was able to access the repositories, and also get results for list-issues-for-a-repository.
Related
Right now, I'm working on my customer repository, I don't have permission to look into the project setting, and we work remotely.
One way to figure it out is to ask a customer to screen capture the permission page. But will I have to do this all the time?
I wondered if GitHub already has some API to get all of the permission already.
I am trying to create a website that will allow users to authorize their GitHub account and it will then allow the user to click a create button. Which automatically creates a new repo with some files. Now I am confused about should I make a GitHub app or OAuth app for the same.
I have looked into the documentation but still confused..
I will host the website and this will allow any random user with an GitHub account.. What will be the best choice?
From Github documentation:
GitHub Apps are the officially recommended way to integrate with
GitHub because they offer much more granular permissions to access
data, but GitHub supports both OAuth Apps and GitHub Apps.
They are also providing a simple flow chart that can make your decision easier.
Bottom line - unless you need an access to everything, you should use GitHub App
So we've developed a Facebook App (and similar apps on Twitter and Instagram) that allow users to post and read content using an external system. We'll sell this integration directly to our clients, so it's a private application.
Basically the user will see a very simple page with a button "Log in to Facebook" and a disclaimer regarding the authorization (we'll use some query params fixed in the url, depending on the client). The client authorize us and we capture the access tokens.
To submit the app review, though, we have to explicitly give a test user to the reviewers, but that's not really possible because the real "action" happens within the integrated systems, NOT within the app itself. And those systems are not public (they shouldn't be).
So just to be clear: our app is basically a very simple "Facebook login" that we use to get tokens, generated by specific clients authorization. It's not going to be published anywhere.
Until we have around 5 to 10 clients we can add the specific users in our app as Testers/Admins/etc, but what if we scale up? Say we have 20 clients. How are we supposed to get our app to be "live"?
To follow the app review steps we would have to create some users in our local systems (we have some dev environments), open them to the internet so the reviewers can log in and see how it actually works? Is that it?
(btw I'm asking this because our app review was rejected twice and I want to make sure I'm submitting everything they ask this time).
Thanks :)
I think the Login Review FAQ answers most of your questions. The key point:
Our review team will actually test how your app uses each permission on every platform you have listed in the settings section of your app.... You'll need to explain exactly how to test each permission or feature in your app so that we can make sure it works and follows our policies. We can't approve your app if we can't fully test how it integrates with Facebook.
In other words, it's not enough to just allow them to log in to your app, you have to expose all Facebook-related features to the reviewer.
To follow the app review steps we would have to create some users in our local systems (we have some dev environments), open them to the internet so the reviewers can log in and see how it actually works? Is that it?
Yes, though I'm not sure what you mean by "open them to the internet". You should be able to create a test user on your local system and link that account to a test Facebook user. Then you can have the Facebook reviewer use that test account for their review. (From the FAQ: "In the Items in Review section, you'll see a Test User (optional) section that allows you to type the name of the user you wish to be used in your review.")
This is my working scenario: i have created and successfully published an App on the Google Apps Marketplace / Chrome Web Store. Let's say some users did install this App on their own domains and are using my App. When they installed this App on their domains they granted data access to the scopes I declared for my App, for example scopes A and B.
Now let's say we went on improving our App adding a new feature and we released it. This new feature requires us to add a scope C to the App configuration. So let's add scope C and save the new configuration.
For those users who have already installed the App, scope C is "new" and needs to be granted access, while A and B are already granted.
Now we need to find a way to notify users about the need to grant access to the newly added scope before going on using the App (otherwise end users may incur in some issues).
The question is: is there a way to programmatically detect for a specific domain installation of our App which scopes have already been granted access and which ones not?
Assuming you have an access token you can use oauth2.tokeninfo() to determine which scopes a given token is good for.
I created a Facebook app ad then inadvertently removed all admins (including myself) from the app. Now I can't manage it. Our website is still referencing the app id, and we are still posting comments using it, so I know it still exists in the system. I don't want to create a new app and lose all those comments. Is there a way to recover the app or move the apps' comments to a new app id?
I've used this form to get access to Developer Operations staff that have been able to help me with similar requests.
https://www.facebook.com/help/contact/1838825039720902
Also, if the app was deleted, it can often be restored via https://developers.facebook.com/appeal/
If an application is deleted there is no way to recover it. As far as removing all the admins from the application, this is not something the Admin console allows. You should have been presented with this message when doing so ... "Must specify one developer with admin permissions." ...