cla-assistant requires excessive permissions

[hexagonrecursion]

tldr-pages requires that all contributors sign a CLA. For the signing workflow they use cla-assistant. When I tried to log into cla-assistant it first asked for permission to see my email address (a reasonable request when using github OAuth). After I approved the request I got a second request for a long list of permissions including write access and private data. This included:

• read and write my public and secret gists.
• read my organization, team membership, and private project boards
• read and write commit statuses
• read and modify repository webhooks and services

This is unacceptable. There is no reason for cla-assistant to ask me for those permissions just so I can sign a CLA

[Shegox]

hi @hexagonrecursion,

thanks for opening the issue. Normally these permissions are only required when you login via the homepage to actually configure it. For just signing a CLA it should only require your email (the first prompt).

What link did you use to access CLA-Assistant? Via https://cla-assistant.io/tldr-pages/tldr?pullRequest=7516 it should only ask you for the email and redirect you back to the PR afterwards.

[hexagonrecursion]

cla-assistant posted a comment on my PR. I clicked on the link in the comment

[Shegox]

Ah okay, that is indeed weird. This should only ask you for the email permissions and then take you to the signing. I assume that you didn't give CLA-Assistant the extended permissions, right? The PR in tldr-pages looks at least like you accepted the CLA.

If this is the case I suspect that for whatever reason it redirected you to the wrong place after accepting the CLA. I wasn't able to reproduce it so far.

[hexagonrecursion]

I did not give permissions. After that I clicked on the link a second time and everything worked as expected.

[Shegox]

Okay, that is really weird and shouldn't happen.

Let me see if I can reproduce that or someone else as well runs into this problem.

[jpmcb]

Hi all - someone a few weeks back in spf13/cobra also mentioned something similar: https://github.com/spf13/cobra/pull/1530

I'm not able to reproduce since I already have accepted everything.

[Shegox]

@jpmcb thanks for providing this as well. I will see if I can figure out what happened here, especially since it doesn't seem to be a one off as I hoped :D

[seabass-labrax]

I too have experienced this in trying to sign the CLA for golangci/golangci-lint. Unlike @hexagonrecursion, though, mine didn't work even after clicking on the link for a second time.

[Olf0]

This is a duplicate of issues #78, #97, #566, #863 etc.

I suggest to deal with this at issue #566, until it has been fully resolved: I.e., until the CLA assistant works properly with cookies disabled in the web-browser.

[drmcnelson]

I have the same issue, and here it is more than two years later.

Never-ever will I grant a bot such permissions, I would hardly ever grant them to a person, even a close relative.

If this is the price of collaboration, then collaboration stops here.