Skip to content
This repository has been archived by the owner on Nov 18, 2021. It is now read-only.

[API] Can't add members to a team using token with write:org permissions #154

Closed
patcon opened this issue Feb 22, 2014 · 3 comments
Closed

Comments

@patcon
Copy link

patcon commented Feb 22, 2014

While work on gratipay/roobot#9 and using the API via personal access tokens, I'm pretty sure I discovered a bug:

Bug Summary

When trying to write a script that involved adding team members via API, I found that, as an owner, I could add them easily to the owner team when the token had write:org permissions. However, when trying to add a member to a non-owner team in that same org, I was got a 404. Elevating permissions to admin:org solved the issue temporarily, but that is much higher privileges than I would like to provide.

Expected Behaviour

I would expect to be able to manage non-owner teams without having to provide admin:org access to a script.

The description of write:org would lead me to believe that this should be possible:

read and write org and team membership

Steps to Reproduce

  1. Create a new org
  2. Create a new repo in that org
  3. Create a team with read access to that repo
  4. Create a personal access token with write:org permissions
  5. Add a team member to the owner team via API: SUCCESS!
  6. Add a team member to the non-owner team via API: FAILURE!
  7. Add permission admin:org to access token.
  8. Add a team member to the non-owner team via API: SUCCESS!

Notes

Oddly enough, I also saw this behaviour:

  • Promoting the team to have admin access allowed me to add members even if the token only had write:org access.
  • My being on the test team was not required for the above point to be successful (ie. it doesn't seem to be that the team permissions are somehow overriding my own org owner permissions.)
@patcon
Copy link
Author

patcon commented Feb 22, 2014

Reported to [email protected]:

Heyo!

Just documented a bug over here:
#154

It restricts permissions rather than elevating them, so hopefully it isn't a problem to report it publicly.

You're all awesome. Thanks!

Patrick

@patcon
Copy link
Author

patcon commented Feb 24, 2014

Ah, got a reply and apparently the x:org permission set wasn't ready to be released yet:

Hey Patrick,

Thanks for getting in touch and reporting this! Those scopes write:org and admin:org are not ready for prime time yet, and shouldn't have been shown on the token creation page. It's something we're working on and testing internally, so we just removed them from the token creation page (together with some other scopes that were accidentally shown).

For updates about these and other scopes -- please follow the API changelog:

http://developer.github.com/changes/

Sorry for the confusion about this, and we appreciate the report you sent in! Let us know if you have any questions, or notice any other strangeness with the API.

Cheers,
Ivan

Sent this reply:

Ah gotcha. Thanks Ivan! The short-term developer preview was nice while it lasted ;)

And hey, don't be too hard on whoever committed the bug that exposed the UI -- I wouldn't have known that our hubot script idea was feasible if I didn't know that that super-helpful permission set was coming down the pipe.

Anyhow, thanks again!

Guess I can close this for now :P

@patcon patcon closed this as completed Feb 24, 2014
@patcon
Copy link
Author

patcon commented Feb 26, 2014

Got another reply from @izuzak that was super-helpful:

Hey again Patrick,

Just wanted to let you know that no GitHubbers were hurt while fixing the issue you reported. ;)

As you probably noticed, we released those *:org scopes yesterday:

http://developer.github.com/changes/2014-02-25-organization-oauth-scopes/

The issue you reported granted tokens with write:org scope with permissions to add members to some teams. This was not intended behavior, since only tokens with admin:org scope should grant permission to manage teams. This issue was resolved before the new scopes were launched, so I wanted to thank you again for reporting it!

Also, if I understood you correctly, you expected to be able to manage teams without granting admin:org scope. I do agree that this might be useful in some situations, so I've passed your feedback to the team to consider this. However, I can't make any promises about if/when additional scopes for managing teams might be available.

Let us know if you notice any other misbehaving OAuth scopes. :)

Cheers,
Ivan

And my reply:

Thanks Ivan!

Yes, since the ability to do certain things via the API (in my case, assigning issues to users) relies on them being added to certain low-privilege team, team management access is required in order to use the subset of API methods. A more limited ability for team management would allow me to sleep better at night. Having to give a bot admin access to a whole org just to be able to add people to a read-only team on a small repo -- that doesn't seem right :)

Thanks very much, to you guys for the new scopes though! Really appreciate it :)

Patrick

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant