WingNews logo WingNews
top | item 33556114

(no title)

megamorf | 3 years ago

Unfortunately, it leaves a lot to be desired. I've actually had to do a fair bit of GH access reporting myself recently and I can recommend the GraphQL API as it allows you to properly list direct and indirect permissions on repositories (org + team + direct collaborator) that are alot harder to do with the REST API due to its inconsistent permissions model.

discuss

order

LukeShu|3 years ago

IME, the problem with the GraphQL API is that it does a poor job of indicating where permissions came from, and you have to fall back to bad heuristics.

For example, if team="company" has "READ", and team="company/dev" has "WRITE", and Bob is in team="company/dev" but not team="company", then Bob will have both "READ" and "WRITE" because of his membership in team="company/dev"; the API will give no indication that the "READ" indirectly came from team="company".

Also, the permissions that the PAT needs in order for GraphQL to even list those things is excessive.

Anyway, here's my audit script for such things: https://github.com/datawire/collaborators

megamorf|3 years ago

That's actually incorrect. Check out this query: https://gist.github.com/megamorf/9c105ac9cc13a93b5449a7b683d...

I have added two output examples. One for when you only want to find users that have been directly assigned to a repo (DIRECT) and one that shows how their roles and team memberships decide what permissions they have on a repo.

sigio|3 years ago

Having write already implies that you have read, it't not something related to being in a team with read, it's just that write always gives you read. The permission levels are pull(read), triage(read+issues/pr's), push(read+write), maintain, and admin

pquerna|3 years ago

i've also been working on a similar tool -- working towards open sourcing it too. would you be interested in taking a look? paul.quenra at conductorone com

kataklasm|3 years ago

I believe you might have a typo in your mail? Just making sure you're not missing out on something useful :)

benfrancom|3 years ago

Nice, do you have anything you can share?