Permissions and scope

[zander]

After chatting a little about this project on discord I want to raise an issue about two things.

The signup is personal. Anyone that signs up will get their 'tip' comments acted on. I recall you said that you intend to update the comment with status as it goes on.

The permissions you are require to grant the app are a bit too much for me.

---

My suggestion is to be more like tippr or @chaintip

Simply mention him and your bot can find the comment and invite the new user to sign up or simply send the funds if they already have in the past.

The mention is very powerful as it allows anyone to start using the bot on any repo all over github as the mention will just make sure you get a notification.

[alwaysAn0n]

Thanks for the input @zander . Here's a little more information on the topic which I've already given you and I'm a bit surprised you didn't include in this issue so users understand the constraints we're building under.

Sadly Github's API leaves a lot to be desired. The app needs to be able to read the comments made by a user in both public and private repos. It also needs to be able to update a comment on behalf of the user who made it. In order to do EITHER of these things, we have to get the entire repo scope because the Github API doesn't break these permissions down any further. It's all or nothing.

Luckily we'll be adding on-chain tipping features that will allow folks to use some of the features even if they can't justify granting ALL of those permissions. Also, I'd love to discuss ways we can completely work around the Github APIs shortcomings while still allowing the current feature set to work.

Simply mention him and your bot can find the comment This is only true if the bot is mentioned from inside a public repo. In order for it to see mentions in private repo's, the bot must be a contributor on the repo or we need the repo scope for the user so we can check for bot mentions in the comments they make.

Here's an idea that might work. What if I add a "revoke Github permissions when I go inactive" setting? I could then create a process that deletes the user's oauth token after they've been inactive on the GitCash.io site for 15 minutes?

[alwaysAn0n]

After a lot of thought, I've decided to make the changes proposed by @zander . I believe this change will allow use to serve more users while simultaneously reducing GitCash's data liability.

@GitCash please give @zander .01 bch as a thank you

--------- GitCash Tip Bot --------- Hey @zander ! alwaysAn0n has sent you 0.01 bch in Bitcoin Cash (~ $ 10.89 )

Follow the link to claim it at

https://gitcash.io/claim/zander

Follow the link and join us!

Bitcoin Cash is an upgrade to the Bitcoin network that restores it's use as peer to peer digital cash.

Join the rebellion in r/btc --------- End GitCash Tip Bot ---------

[zander]

As this post was about me not being able to sign up with the current design, did you just give me a tip I can't claim without signing up?

Please consider using the donations address here instead: http://flowee.org/donations/

[block-spider]

Here you go @zander @chaintip. On behalf of @alwaysAn0n, until they implement their new system. Looking forward to seeing the evolution of GitCash!

Link your flowee donation address, then others can 'donate' to flowee, if they happen to chaintip you in future.

[chaintip]

@zander has claimed the 0.01 BCH| ~ 11.22 USD sent by @block-spider via chaintip.

[zander]

Thanks block-spider! Claimed it quite painless :)

[alwaysAn0n]

@zander GitCash now only requires the "Personal user data" scope and it functions like you suggested. Thanks for the feedback. You can claim your tip now.

[zander]

Thank you for the update.

As granting you write access to my email address means anyone controlling the app can reset my password to a new email address and again do everything I can on this site its effectively still to risky for me to sign up.

[GitCash]

Closing this since the main concerns have been addressed. Feel free to reopen if the email address concern persists and you genuinely want to use GitCash.

[alwaysAn0n]

Immediately after closing this we discovered that there actually is a "read only" scope for user. We made the change and pushed it to production. You're safe now @zander

@GitCash send @zander .01 bch

[GitCash]

@zander

[zander]

Thanks for the tip!

And I'm very happy that my complaining was somehow useful to lead you to the service maturing into what it is today :)

After Microsoft acquired GitHub I opened this issue, a gitlab compatible 'gitcash' service may be useful.