search

mozilla / build.webmaker.org

Source behind MoFo's project tracking site
https://build.webmaker.org
Mozilla Public License 2.0
7 stars 16 forks source link

OAuth permissions are too broad #6

Closed thisandagain closed 9 years ago

thisandagain commented 9 years ago

Original issue: https://github.com/MozillaFoundation/plan/issues/202

cadecairos commented 5 days ago
I don't think it needs to read "All your information" and "read and write all public and private repos"

k88hudson commented 5 days ago
+1

thisandagain commented 4 days ago
:+1:

davidascher commented 4 days ago
I believe https://github.com/MozillaFoundation/plan/blob/master/app.js#L51 is the line that needs changing.

cadecairos commented 4 days ago
https://developer.github.com/v3/oauth/#scopes if all we need is access to public info, we can leave scopes blank.
Pomax commented 9 years ago

ran into this today, too -- read and write permissions for all private data and repos is definitely too wide, but it also sets us up for a potentially hairy legal situation, if people have access to organizational repos that they are only allowed access to due to NDAs. No matter how nice we are, Mozilla should probably not even know those repos exist =)

Pomax commented 9 years ago

tested @davidascher's updated perms app: looks to be asking for the right permissions.

davidascher commented 9 years ago

done