Granular permissions

Question

Granular permissions

Opened this issue 8 years ago · 7 comments

As of now for setting a new repository, when you want to add a repository to Scrutinizer, it requires admin access to all our repositories. It's quite scary and overkill: giving admin access to a third-party service is no trifling matter and pause some security issues.

Would it be possible to fix that? Why does it even requires a write access? Wouldn't read access be enough?

Answer 1 · 2016-05-05T08:23:29.000Z

We are using the permissions for setting up the repository hook, this is also why the user that adds the repository has to have admin rights.

Answer 2 · 2016-05-05T08:27:13.000Z

But this hook could be set up manually right? In which case read access would be enough. I understand that it would make the set up process slightly more cumbersome, but for some organisations/people giving admin rights is understandably not acceptable.

Answer 3 · 2016-05-05T08:28:47.000Z

Yeah definitely, we have been thinking about some alternative set-up, unfortunately at the moment, we do not have it.

Answer 4 · 2016-05-05T09:00:10.000Z

Just to illustrate (because yeah it's still me rambling about this:P), those are the permissions travis asks for, and I happily give them that:

Scrutinizer on the other hand asks me for writing-code access as far as I understand:

What I mean is.. travis has the hook set up permission and then the perms to write status on PRs and stuff it seems (I guess that's Access commit status / Access deployment status?). I don't see what scrutinizer needs that is not encompassed in there.

Answer 5 · 2016-05-09T09:27:06.000Z

@Seldaek, wow, you found this one fast :) I'll put someone on this to review if we can change it easily. I just don't want to break stuff for existing customers.

@theofidry, I assume you were referring to private repositories? For those, GitHub provides no way to request read-only access unfortunately (we would be happy with that), it's also not possible to request access to just a few repositories. If we are missing something here, please let me know.

Answer 6 · 2016-05-09T09:32:08.000Z

I cheated, he linked me to it ;)

Answer 7 · 2016-05-09T09:33:11.000Z

@schmittjoh actually I wasn't making any distinction between private or public ones. If there is differences in permissions managements sorry I didn't checked that far :p

But I think @Seldaek illustrate well the issue. Thanks for taking a look.