I let users log in via Github with the omniauth-github gem.
However, the most basic scope that provides email address is user, which also includes write access to their profile (which I don't need, and is dissuading users).
How can I request read-only access to their profile?
This is an old question but my team has been having the same issues so I post an answer for posterity.
The Omniauth-GitHub gem has scopes that allow you to ask for different sets of permissions. In your case, you want to leave scope blank, because this means
public read-only access (includes public user profile info, public repo info, and gists).
Related
I'm reading the documentation on Scopes for OAuth Apps and it's not clear to me if it's possible to grant read access to private repos, without providing write access.
The repo scope grants full access to read and write everything. This works but it's more permissive than what we would like.
The scope public_repo is only for public repos as its name suggests, and I'm not sure if read:repo_hook is what I need or not.
What's the best suited scope for my use case of reading pull request by passing a commit hash as a parameter to Octokit?
For OAuth apps, the most granular scope is repo or public_repo, depending on whether you need access to all repositories or only public ones.
If you want more granular permissions, you need to use GitHub Apps, which also have OAuth featues (GitHub calls these user-to-server tokens):
https://docs.github.com/en/developers/apps/building-github-apps/identifying-and-authorizing-users-for-github-apps.
GitHub Apps need to be installed by users on repositories in order to grant access, and they have a pull_request read or write permission, depending on what you need.
If I mention an external user in a private repo, does that grant them access to the conversation/branch/repo? And if so, does removing the conversation will withdraw the access?
No, a user's access is not modified by whether you mention them. For example, if at work I mention a former colleague (e.g., “That was written by #octocat, who's no longer here.”), that user does not get notified at all and doesn't get any access to that repository.
Doing so would be tricky because it would allow people to gain access even when they definitely should not have access (former employees, project members who have been asked to leave for inappropriate behavior, etc.).
We've set up a Github app so that it automatically forks a repository for another individual Github user using the Github API. Now we're running into a problem that not everyone wants to give us full read access to all of their private repositories since sometimes they contain sensitive data.
Is there a way to only get read/write permission to a single repository and not the individual's entire account?
Unfortunately, this is not available yet. This feature is still under development as you can see in the Gihub Apps roadmap (and note that I am talking about Github Apps, not OAuth Github Apps). I don't know if this will ever be possible in OAuth Apps but it seems that it might in Github Apps.
There is already a discussion about this at the dear github repository. You should check for news there.
Is there a way to only get read/write permission to a single repository and not the individual's entire account?
Not that I know of: it is easier to setup a new dedicated GitHub account where you would recreate the private repos you want to give access to.
In that new account, you can consider all the private repos can be accessed.
You would keep the really private ones (with sensitive information) in your original GitHub account.
I believe you're looking for X-OAuth-Scopes. This is a well-defined header so that you may restrict your access scope to, for example, public repositories only.
The github developer documentation here says:
... space-delimited list of scopes. If not provided, scope defaults to an empty list for users that have not authorized any scopes for the application. For users who have authorized scopes for the application, the user won't be shown the OAuth authorization page with the list of scopes. Instead, this step of the flow will automatically complete with the set of scopes the user has authorized for the application. For example, if a user has already performed the web flow twice and has authorized one token with user scope and another token with repo scope, a third web flow that does not provide a scope will receive a token with user and repo scope.
I'm signing up a website with my github account. But why would github allow application gain access to my private repo?
What I expect is that github should allow me to control which access I want to grant to that application.
This application will be able to read
and write all public and private repository data. This includes the
following:
Code
Issues
Pull
requests
Wikis
Settings
Webhooks and services
Deploy keys
Github's permissions are, unfortunately, not all that granular.
They're listed here: https://developer.github.com/v3/oauth/#scopes
The site is presumably requesting the repo permission. It'd be nice if Github let you pick and choose which repositories to allow a third-party application access to, but it's currently all-or-nothing.
The site may or may not have a legitimate need for that permission (a CI service might need access to a private repo, for example). We can't answer that part for you - you'll have to decide for yourself if the login is worth the risk.
I want to write a small application to verify members of a GitHub organisation.
The app should match the concrete GitHub org members with a database. When someone is not in the database it should remove it from the GitHub org and so on.
My Problem in using the GitHub API is, that the following request only lists public memberships (since I did not authenticate as a user, but I do not want to).
https://api.github.com/orgs/_orgname_/members?client_id=_client_id_&client_secret=_client_secret_
where orgname, _client_id_ and _client_secret_ are replaced with the actual organisation name and a client id/secret pair registered on this organisation.
How can I access the private members without authenticating as a user (only as an app (server2server) )?
You can't -- you need to authenticate as a user and have the right permissions. When you provide client_id and client_secret, you're still making unauthenticated requests:
https://developer.github.com/v3/#increasing-the-unauthenticated-rate-limit-for-oauth-applications
And unauthenticated requests can only be used to read publicly available information.