schmittjoh
commented
8 years ago We are using the permissions for setting up the repository hook, this is also why the user that adds the repository has to have admin rights.
Open theofidry opened 8 years ago
schmittjoh
commented
8 years ago We are using the permissions for setting up the repository hook, this is also why the user that adds the repository has to have admin rights.
theofidry
commented
8 years ago But this hook could be set up manually right? In which case read access would be enough. I understand that it would make the set up process slightly more cumbersome, but for some organisations/people giving admin rights is understandably not acceptable.
schmittjoh
commented
8 years ago Yeah definitely, we have been thinking about some alternative set-up, unfortunately at the moment, we do not have it.
Seldaek
commented
8 years ago Just to illustrate (because yeah it's still me rambling about this:P), those are the permissions travis asks for, and I happily give them that:
Scrutinizer on the other hand asks me for writing-code access as far as I understand:
What I mean is.. travis has the hook set up permission and then the perms to write status on PRs and stuff it seems (I guess that's Access commit status / Access deployment status?). I don't see what scrutinizer needs that is not encompassed in there.
schmittjoh
commented
8 years ago @Seldaek, wow, you found this one fast :) I'll put someone on this to review if we can change it easily. I just don't want to break stuff for existing customers.
@theofidry, I assume you were referring to private repositories? For those, GitHub provides no way to request read-only access unfortunately (we would be happy with that), it's also not possible to request access to just a few repositories. If we are missing something here, please let me know.
Seldaek
commented
8 years ago I cheated, he linked me to it ;)
theofidry
commented
8 years ago @schmittjoh actually I wasn't making any distinction between private or public ones. If there is differences in permissions managements sorry I didn't checked that far :p
But I think @Seldaek illustrate well the issue. Thanks for taking a look.
As of now for setting a new repository, when you want to add a repository to Scrutinizer, it requires admin access to all our repositories. It's quite scary and overkill: giving admin access to a third-party service is no trifling matter and pause some security issues.
Would it be possible to fix that? Why does it even requires a write access? Wouldn't read access be enough?