search

jsonresume / jsonresume.org

The mono repo that builds the homepage, utils, ui components, registry and anything else
https://jsonresume.org
68 stars 18 forks source link

Questionable permission level #138

Open shaedrich opened 1 month ago

shaedrich commented 1 month ago

What do you need that excessive permissions for? I thought, you just need to read from a simple gist?

grafik

thomasdavis commented 1 month ago

Thanks for the report. It should only need;

The current permissions are set here -> https://github.com/jsonresume/jsonresume.org/blob/master/apps/registry/auth.js#L12

I will check it out later if no one else knows how to reduce those permissions

thomasdavis commented 1 month ago

Just need to change it to read:user for read only user.

But I don't think it's possible to scope it to public gist only

shaedrich commented 1 month ago

that seems to be included as the default: grafik See: https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/scopes-for-oauth-apps#available-scopes

thomasdavis commented 1 month ago

Yeah but it doesn't support writing gist which is needed for the editor

shaedrich commented 1 month ago

Ah, okay. You are right. This would need the gist permission then

thomasdavis commented 1 month ago

I've updated it to just read user profile in this commit https://github.com/jsonresume/jsonresume.org/commit/8e5b9dc908c20ece1dd965c154294b1b904af78c

Will keep this open for a little while to see if anyone has any good ideas to let people keep their gists private.

shaedrich commented 1 month ago

Awesome! Thanks 👍🏻