Comments (2)
mickmister
commented on June 23, 2024
2
Thanks for submitting this issue @mig5 👍
Unfortunately, GitHub OAuth scopes do not have much support for read-only access https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/scopes-for-oauth-apps. In general we request the following scopes:
public_repo- Limits access to public repositories. That includes read/write access to code, commit statuses, repository projects, collaborators, and deployment statuses for public repositories and organizations. Also required for starring public repositories.
repo- In the case that the MM admin wants to connect to private repositories, we optionally include this scope- Grants full access to public and private repositories including read and write access to code, commit statuses, repository invitations, collaborators, deployment statuses, and repository webhooks. Note: In addition to repository related resources, the repo scope also grants access to manage organization-owned resources including projects, invitations, team memberships and webhooks. This scope also grants the ability to manage projects owned by users.
notifications- read access to a user's notifications
- mark as read access to threads
- watch and unwatch access to a repository, and
- read, write, and delete access to thread subscriptions.
admin:org_hook- Grants read, write, ping, and delete access to organization hooks. Note: OAuth tokens will only be able to perform these actions on organization hooks which were created by the OAuth App. Personal access tokens will only be able to perform these actions on organization hooks created by a user.
(It's not clear what 'write' access to 'Settings' could entail, from a security perspective - could the plugin, for example, be abused to modify branch protection settings for a repository?)
I'm not sure what this entails either. I know the only write actions the plugin does is creating issues/comments/reactions, and creating webhooks. Maybe the webhook permission is what is signaling the Settings part.
Is there no way to customize the scopes to some sort of subset?
At the moment, you cannot do this with the plugin, but we can look into supporting this.
cc @hanzei
from mattermost-plugin-github.
hanzei
commented on June 23, 2024
Closing as the question has been answered
from mattermost-plugin-github.
Related Issues (20)
- Include explanation of `/setup` command in README HOT 2
- `Unable to find manifest for extracted plugin` when using `make deploy` HOT 1
- [Request] Ability to hide entries (especially PRs) from daily summary
- Improve performance of Create Issue modal repository selector HOT 3
- Code previews only work for commit hashes, not for branches
- [Enhancement Proposal] Delaying Draft Pull Request Notifications until Marked as 'Ready for Review' HOT 4
- Pull Request Reviews are not posted. HOT 1
- Code in Pull Request code blocks is broken on Mattermost
- unusable links in plugin messages HOT 2
- User not receiving DM notifications. Had to manually run `notifications on` slash command to re-enable HOT 2
- Mattermost Github Plugin will not start HOT 4
- No pr review notifications if my team was assigned as reviewer HOT 3
- Creating a test issue for GitHub board.
- Explain in docs not to fill out the `Enterprise Base URL` config setting if the GH Enterprise instance is hosted on GitHub's domain HOT 2
- Clarify subscribe message when there is no webhook found
- Subscriptions not creating posts for reopening PRs
- Push events: option to show commit author instead of committer HOT 6
- Feature Request: Subscribe to GitHub Action workflow failures HOT 4
- Feature Request: Subscribe to release events
- The message generated for the `/github subscriptions list ` slash command should show the excluded repositories (if present). HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from mattermost-plugin-github.