search

CATcher-org / CATcher

CATcher is a software application used for peer-testing of software projects.
https://catcher-org.github.io/CATcher/
MIT License
70 stars 68 forks source link

Avoid asking write access to _all_ public repos #1261

Open damithc opened 6 months ago

damithc commented 6 months ago

Is it possible not to ask for write access to all public repos? Some users may not want to give CATcher such access because if CATcher is compromised, attackers can get through to their other public repos (such as other OSS projects they have write access to).

JuliaPoo commented 6 months ago

Furthermore, I don't see why this project requires read:user permissions. From what I gather from the OAuth documentation, the only user profile information such permissions can gain over public information are:

"private_gists": <number>,
"total_private_repos": <number>,
"owned_private_repos": <number>,
"disk_usage": <number>,
"collaborators": <number>,
"two_factor_authentication": <boolean>,
"plan": {
  "name": <string>,
  "space": <number>,
  "private_repos": <number>,
  "collaborators": <number>
}

For me personally, I'm unwilling to allow CATcher write permissions to my public repos.