search

bkeepers / github-notifications

A client for reading GitHub notifications
https://notifications.githubapp.com/
MIT License
212 stars 25 forks source link

Permissions scoping #146

Open kofalt opened 9 years ago

kofalt commented 9 years ago

The permissions requested are pretty extensive:

zomg-perms

From the GH docs:

This is one of the most expansive configurations you can permit, so accept it with caution!

Contrast permissions for Travis CI, which are much more scoped:

travis-perms

I immediately notice how it's much easier to understand what Travis can read or modify, and I'm nervous about authorizing github-notifications with write access to everything.

I'd be a lot more comfortable if the github-notification permissions were scoped, or at least if there were a explanation presented for requesting so much :)

Thanks!

paoloantinori commented 9 years ago

+1

bkeepers commented 9 years ago

The repo scope is needed to read and write issues and comments on private repositories. From what I can tell, there's not a scope that gives you access to that without giving you full read/write access to all repo data.

/cc @kdaigle