Netlify CMS allows all GitHub users to write to main branch

[behoppe]

Issues It seems that anyone with a GitHub account can use Netlify CMS to push changes to the main branch.

Improvements This page of Netlify CMS docs explains user roles, which would give us control over write access.

Additional discussion Not sure how this will scale or how it will integrate with GitHub teams decaporg/decap-cms#42

[behoppe]

A couple developments:

• From Netlify community, advice that we can use Netlify Identity to accomplish what we want, and we can have 5 Netlify identities for free. IMO this begs the question, "What is git-gateway for?" And I am hoping to learn more on that. Possible avenues here
• Tested another alternative to git-gateway, which is using GitHub OAUTH. This seems like an older more reliable method, per here. I found it to work -- which means that people without push access cannot log into Netlify CMS.

So one approach might be to integrate this with decaporg/decap-cms#42, using GitHub teams to manage permissions and grant push access to more GitHub accounts than we have currently. Then using GitHub OAUTH seems quite workable.

[behoppe]

I fixed this by switching auth mechanisms from Git-Gateway to GitHub OAuth. Details below.

GitHub OAuth, a more mature part of Netlify than Git-Gateway, uses the actual GitHub user credentials (instead of doing some more complicated proxy-dance with a single admin's GitHub credentials). Everything makes more sense now with GitHub OAuth.

To enable GitHub OAuth, I addressed some issues on GitHub teams decaporg/decap-cms#42 and protected branches. I created a team @OpenCilk/website-contributors that has write access to this repository, and I added all contributors that I know. (Note that this involved inviting @jowens to join the @OpenCilk organization, which perhaps nudges us towards a broader ecosystem/community notion of what that organization is.)

Write access was still not enough, until I also removed the protection rule from the main branch, which used to ensure that changes could only happen through pull requests. Netlify CMS needs the ability to push without PRs, and after I removed the protection rule, then Netlify CMS works as desired.

In particular:

• My personal @beh333 account, when it is a member of @OpenCilk/website-contributors, can use Netlify CMS to edit and publish those edits.
• But when @beh333 is removed from the team, then it can no longer sign onto Netlify CMS. ("Your account does not have write access to this repo.")

[behoppe]

Reopening this issue, because OAuth app asks people for too much (permission to access organizations beyond OpenCilk). I have reverted to Git-Gateway for now. Not sure how best to connect to Netlify CMS.

[behoppe]

@dcurtisatmit and @cleiserson: Based on discussion with Bradley, I tested GitHub OAuth. It does not ask for too much permission. When it presents a green check, that indicates that the user belongs to an organization that has removed restrictions on third-party apps.

The green check reminds you of the policies that those org admins have in place, to allow all third-party apps used by any org members to access any other data in the org. (Why those orgs remove the default restrictions, I cannot say, but I hope we do not take their problems onto our shoulders.)

So I have other problems with Netlify CMS (e.g., "API errors such as decaporg/decap-cms#84) but authorization is not one of the blocking issues, because using GitHub OAuth seems to be a very robust alternative to using git-gateway, which we still have not gotten to work.

Details in the attached pdf.

Test of Netlify GitHub OAuth.pdf

[behoppe]

I am closing this issue because

• The original symptom was due to user error. I set registration to "open" instead of "invite only." (See https://www.netlifycms.org/docs/add-to-your-site/)
• The GitHub OAuth approach works great, except that it makes people nervous to be reminded that org admins have removed default GitHub access protections.

For now I am keeping Git-Gateway going, but soon I will campaign to switch to GitHub OAuth.

[96312]

Hello there, stumbling upon this from netlify's git-gateway repo. I wanna set up a simple page using their CMS with only me as the admin and user.

Which of these ways did you find offers the least resistance path of setting up communication of the cms with github?

[behoppe]

Hello there, stumbling upon this from netlify's git-gateway repo. I wanna set up a simple page using their CMS with only me as the admin and user.

Which of these ways did you find offers the least resistance path of setting up communication of the cms with github?

I recommend GitHub OAuth, with the caveat that Netlify CMS documentation is chaotic no matter what. If you take notes on your process and list the doc pages that helped you as a new comment here, that would be pretty great :-). Good luck!