GitHub API Application list non public org members - github

I want to write a small application to verify members of a GitHub organisation.
The app should match the concrete GitHub org members with a database. When someone is not in the database it should remove it from the GitHub org and so on.
My Problem in using the GitHub API is, that the following request only lists public memberships (since I did not authenticate as a user, but I do not want to).
https://api.github.com/orgs/_orgname_/members?client_id=_client_id_&client_secret=_client_secret_
where orgname, _client_id_ and _client_secret_ are replaced with the actual organisation name and a client id/secret pair registered on this organisation.
How can I access the private members without authenticating as a user (only as an app (server2server) )?

You can't -- you need to authenticate as a user and have the right permissions. When you provide client_id and client_secret, you're still making unauthenticated requests:
https://developer.github.com/v3/#increasing-the-unauthenticated-rate-limit-for-oauth-applications
And unauthenticated requests can only be used to read publicly available information.

Related

How can a Github App list a user's private repositories?

I am trying to list a user's private github repositories via a github app.
(Note: I am not currently using OAuth, and I am looking for a user's repositories, not an org's.)
I am attempting to make this API call with an installation client, that is, using a client specific to an installation of an app and using a JWT with my private key.
This is the endpoint I am requesting:
https://api.github.com/user/repos?per_page=100&visibility=private
This yields the following response:
{
"message":"Resource not accessible by integration",
"documentation_url":"https://docs.github.com/rest/reference/repos#list-repositories-for-the-authenticated-user"
}
The /user/repos not listed in the list of valid app endpoints so I'm not surprised this doesn't work.
Once a user installs my app, how can I list their private repos?
The way to do this is by calling the /installation/repositories endpoint. An "installation" might have access to many repos across many users, and this endpoint will encompass them all.
This endpoint is documented here: https://docs.github.com/en/rest/reference/apps#list-repositories-accessible-to-the-app-installation

How to check if a user can create a repository in a GitHub organization via the REST API

I am writing a Github App that is able to create repositories in an installation.
When the App acts on behalf of an authenticated user, I would like to check that the user can (by themselves) create a repository in the org.
I have spent a lot of time on GitHub's API docs, but I cannot find the answer.
My first thought was that this info should be available in the endpoint /user/installations. The endpoint lists the installations that the user can access (either as a member of an organization or as an external collaborator). However, the permissions returned with each entry are actually the permissions for the App, not for the user. So, this is a dead end.
Another direction was looking at the (public+private) organizations of the user using /user/orgs.
(This does not seem the right direction because as an App I would expect to operate only on installations...)
With this endpoint, I can get all the organizations of the user. However, I don't get whether they can create repos and/or what the role of the user is in the organization.
Should I use the teams/roles part of the API?
My App doesn't ask for the members suite of permissions so I would like to avoid this road.
At this point, the only workarounds are:
Try to create the repo as the user, take note if it fails. Bad solution because I don't want to tell the user that they can create a repo if they can't.
In the background, try to create a repo as the user to check if it possible. If it is, delete the repo. This works but it seems an ugly workaround.
Any suggestion?

Github permissions

We've set up a Github app so that it automatically forks a repository for another individual Github user using the Github API. Now we're running into a problem that not everyone wants to give us full read access to all of their private repositories since sometimes they contain sensitive data.
Is there a way to only get read/write permission to a single repository and not the individual's entire account?
Unfortunately, this is not available yet. This feature is still under development as you can see in the Gihub Apps roadmap (and note that I am talking about Github Apps, not OAuth Github Apps). I don't know if this will ever be possible in OAuth Apps but it seems that it might in Github Apps.
There is already a discussion about this at the dear github repository. You should check for news there.
Is there a way to only get read/write permission to a single repository and not the individual's entire account?
Not that I know of: it is easier to setup a new dedicated GitHub account where you would recreate the private repos you want to give access to.
In that new account, you can consider all the private repos can be accessed.
You would keep the really private ones (with sensitive information) in your original GitHub account.
I believe you're looking for X-OAuth-Scopes. This is a well-defined header so that you may restrict your access scope to, for example, public repositories only.
The github developer documentation here says:
... space-delimited list of scopes. If not provided, scope defaults to an empty list for users that have not authorized any scopes for the application. For users who have authorized scopes for the application, the user won't be shown the OAuth authorization page with the list of scopes. Instead, this step of the flow will automatically complete with the set of scopes the user has authorized for the application. For example, if a user has already performed the web flow twice and has authorized one token with user scope and another token with repo scope, a third web flow that does not provide a scope will receive a token with user and repo scope.

Restrict Github API access to only one repository of an user

We have an web application, which lets the user write code and store it in an internal git repository on our server.
Now we wanted to allow the user to share his code with his github repository. So we looked through the api documentation of github and found a way via ouath2.
However to make this work, we need to request write access from the user, but github oauth access scopes only include write access to all repository of an user, which is way too much for us.
Is it possible to restrict an api access for only one specific repository of an user?
As per jasonrudolph comment, it is not currently possible to restrict API access to a specific repository.
Deploy keys are the closest thing that provides this type of functionality. (This won't help you from an API perspective, but a deploy key might meet your underlying need.) If your application were to generate an public/private SSH keypair, and the user were to add the public key as a deploy key in the repository, then you could use the private key to access just that one repository (without having access to the user's other repositories).

Request read-only access to a user's github profile?

I let users log in via Github with the omniauth-github gem.
However, the most basic scope that provides email address is user, which also includes write access to their profile (which I don't need, and is dissuading users).
How can I request read-only access to their profile?
This is an old question but my team has been having the same issues so I post an answer for posterity.
The Omniauth-GitHub gem has scopes that allow you to ask for different sets of permissions. In your case, you want to leave scope blank, because this means
public read-only access (includes public user profile info, public repo info, and gists).