英文:
Is there a Github API OAuth scope that allows you to check a user has access to a private repo *without* also granting access to repo code?
问题
我正在构建一个OAuth应用程序,用于与Github一起工作。我需要通过令牌范围来确定经过身份验证的用户是否可以访问仓库(公共或私有),以便我可以相应地限制应用程序的访问权限。
我明确不希望从我的应用程序中访问仓库代码,因为a)我希望用户和公司能够放心地将其用于私有仓库,b)应用程序不需要知道,所以我希望保持最低权限。
我正在努力寻找一个OAuth范围,允许应用程序查询用户是否可以访问特定仓库,而不需要要求用户授予应用程序访问其代码的权限。
我找到的最接近的是repo:status
。但这需要我猜测一个分支名称,通常是main
或master
,但没有保证。
有更好的方法吗?
英文:
I'm building an OAuth app to work with Github. I need to know, via token scopes, whether an authenticated user has access to a repo (public or private) so that I can restrict access accordingly in my app.
I explicitly do not want access to repo code from my app because a) I want users and companies to have confidence to use it with private repos and b) the app doesn't need to know, so I'd like to keep it least-privilege.
I'm struggling to find an OAuth scope that will allow the app to query whether a user has access to a specific repo without also needing to ask my users to grant the app permission to access their code.
The nearest I've found is repo:status
. However that requires me to guess a branch name, which is usually main
or master
, but there's no guarantee.
Is there a better way?
答案1
得分: 1
你可以尝试使用repo_deployment
范围和/repos/{owner}/{repo}/deployments
端点来完成此操作。部署列表确认了对存储库的访问权限,不需要事先了解默认分支。
如果可能的话,可以使用GitHub App 而不是 OAuth App,只关注组织存储库的话,你可以请求组织的member
和存储库的metadata
权限,以便使用/repos/{owner}/{repo}/collaborators/{username}
端点来检查用户是否是存储库的合作者。
英文:
You may be able to accomplish this using the repo_deployment
scope and the /repos/{owner}/{repo}/deployments
endpoint. The list of deployments confirms access to the repository, and it does not require prior knowledge about the default branch.
If it is possible to use a GitHub App instead of an OAuth App — and you are only concerned about organization repositories — then you could request organization member
and repository metadata
permissions in order to use the /repos/{owner}/{repo}/collaborators/{username}
endpoint to check if the user is a collaborator on the repository.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论