You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The OAuth flow requests the ability not only to create repositories, but also to delete them.
I originally thought this was due to the coarse granularity of GH permissions (i.e. "if you want write access you get to delete too") but that is not the case: the app specifically requests for delete permissions (see app/views/datasets/_dataset.html.erb):
Rails.application.config.middleware.use OmniAuth::Builder do provider :github, ENV['GITHUB_KEY'], ENV['GITHUB_SECRET'], scope: "user:email,repo,delete_repo,read:org" end
Issue
This is a pretty steep demand on the trust of the users, especially those who may only want to try out the service. We have received a few messages to that effect in the past.
Suggested change
We could remove the ability to delete repositories. That would impact the ability to "delete a dataset" (see spec/controllers/datasets/destroy_spec.rb) and the UI would have to give guidance on how the user ought to manually do that from the GH app (see app/views/datasets/_dataset.html.erb) but it is doable and may be a decent workaround.
Alternatives
Issue #187 has been proposed in the past, to experiment with asking for delete permissions only on delete. That issue was never prioritised - partly because deleting repos is a relatively rare instance.
The text was updated successfully, but these errors were encountered:
Context
The OAuth flow requests the ability not only to create repositories, but also to delete them.
I originally thought this was due to the coarse granularity of GH permissions (i.e. "if you want write access you get to delete too") but that is not the case: the app specifically requests for delete permissions (see app/views/datasets/_dataset.html.erb):
Rails.application.config.middleware.use OmniAuth::Builder do provider :github, ENV['GITHUB_KEY'], ENV['GITHUB_SECRET'], scope: "user:email,repo,delete_repo,read:org" endIssue
This is a pretty steep demand on the trust of the users, especially those who may only want to try out the service. We have received a few messages to that effect in the past.
Suggested change
We could remove the ability to delete repositories. That would impact the ability to "delete a dataset" (see spec/controllers/datasets/destroy_spec.rb) and the UI would have to give guidance on how the user ought to manually do that from the GH app (see app/views/datasets/_dataset.html.erb) but it is doable and may be a decent workaround.
Alternatives
Issue #187 has been proposed in the past, to experiment with asking for delete permissions only on delete. That issue was never prioritised - partly because deleting repos is a relatively rare instance.
The text was updated successfully, but these errors were encountered: