René's URL Explorer Experiment


Title: GitHub's Permission System is Flawed · Issue #113 · dear-github/dear-github · GitHub

Open Graph Title: GitHub's Permission System is Flawed · Issue #113 · dear-github/dear-github

X Title: GitHub's Permission System is Flawed · Issue #113 · dear-github/dear-github

Description: This is an open letter to @github on behalf of third-party app developers. For a very long time, permission scopes has been a common issue for both users and app developers. These scopes are extremely permissive and far too broad, preven...

Open Graph Description: This is an open letter to @github on behalf of third-party app developers. For a very long time, permission scopes has been a common issue for both users and app developers. These scopes are extrem...

X Description: This is an open letter to @github on behalf of third-party app developers. For a very long time, permission scopes has been a common issue for both users and app developers. These scopes are extrem...

Opengraph URL: https://github.com/dear-github/dear-github/issues/113

X: @github

direct link

Domain: github.com


Hey, it has json ld scripts:
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"GitHub's Permission System is Flawed","articleBody":"_This is an open letter to @GitHub on behalf of third-party app developers._\n\nFor a very long time, [permission scopes](https://developer.github.com/v3/oauth/#scopes) has been a common issue for both users and app developers. \nThese scopes are extremely permissive and far too broad, preventing users from using third-party applications.\n\nWe need a more granular permission system and we hope you listen to this.\n\nBelow you can find some examples that describes exactly what we mean by how flawed the system is and some suggestions to improve it.\n\n---\n###### `gist` scope\n\n\u003e _Grants write access to gists._\n\nLet's say you want to build an app like [GistBox](http://gistboxapp.com) to organize gists. In order to read **read private gists** you would need to request the `gist` scope.\n\nHere's what users would see:\n\n\u003cimg width=\"425\" alt=\"gist\" src=\"https://cloud.githubusercontent.com/assets/398893/12970272/538a35a8-d041-11e5-9332-242d9f5b7da1.png\"\u003e\n\nEven if you don't want to create any gists, you still need to request write access. Some users may find that ok, but other users can be afraid of having someone creating or editing their precious code snippets.\n\n**Solution:** what if we had `read_public:gist`, `read_private:gist`, `write_public:gist`, and `write_private:gist` instead?\n\n---\n###### `public_repo` scope\n\n\u003e _Grants read/write access to code, commit statuses, collaborators, and deployment statuses for public repositories and organizations. Also required for starring public repositories._\n\nAnother example: let's say you want to create an app like [Waffle](https://waffle.io/), [HuBoard](https://huboard.com/), or [ZenHub](https://www.zenhub.io/) to manage your issues. In order to have a basic functionality like **creating issues on public repositories**, you would need to request the `public_repo` scope.\n\nHere's what users would see:\n\n\u003cimg width=\"425\" alt=\"public repo\" src=\"https://cloud.githubusercontent.com/assets/398893/12969874/ae303ce2-d03b-11e5-8540-2075d7fbaa1a.png\"\u003e\n\nNote how broad this permission is. These apps have no interest on wikis, deploy keys, webhooks, or anything like that. But still, that's the only way to go.\n\n**Solution:** what if we had `read_public:repo_code`, `read_public:repo_issues`, and `write_public:repo_stars` instead?\n\n---\n###### `repo` scope\n\n\u003e _Grants read/write access to code, commit statuses, collaborators, and deployment statuses for public and private repositories and organizations._\n\nFinally, the issue I'm personally facing right now. Let's say you want to build an app like [DevSpace](https://devspace.io/) to **read public and private events**. For this we'd have to use the `repo` scope.\n\nHere's what users would see:\n\n\u003cimg width=\"429\" alt=\"private repo\" src=\"https://cloud.githubusercontent.com/assets/398893/12969880/c9214b22-d03b-11e5-80d9-7691f41b2096.png\"\u003e\n\nThis is probably the most shocking permission scope. Even though we don't want to write anything we'd still need to request a permission that can change code, issues, and many other important things from private repos.\n\n**Solution:** what if we had `read_public:events_repo`, `read_private:events_repo`, `read_public:events_org`, and `read_private:events_org` instead?\n\n---\n\nYou see, those are just few examples, there are many other apps facing the same issue:\n- https://github.com/ZenHubIO/support/issues/77\n- https://github.com/waffleio/waffle.io/issues/1957\n- https://github.com/huboard/huboard/issues/203\n- https://github.com/huboard/huboard/issues/468\n- https://github.com/astralapp/astral/issues/1\n- https://github.com/astralapp/astral/issues/11\n- https://github.com/mozillascience/site/issues/11\n- https://github.com/jollygoodcode/jollygoodcode.github.io/issues/6\n- https://github.com/thoughtbot/hound/issues/925\n- https://github.com/bkeepers/github-notifications/issues/146\n- https://github.com/holman/ama/issues/635\n- https://github.com/isaacs/github/issues/268\n- https://github.com/isaacs/github/issues/311\n- https://github.com/isaacs/github/issues/31\n- https://twitter.com/iandees/status/692855774645604359\n- https://twitter.com/jasontrill/status/690813850350854144\n- https://twitter.com/omarqureshi/status/655148749019303936\n- https://twitter.com/YAMPST/status/623204972029734914\n- https://twitter.com/codingjester/status/613019497549705217\n- http://blog.waffle.io/updated-permissions/\n- https://gitter.zendesk.com/hc/en-us/articles/200176672-Authenticating-with-GitHub\n- https://blog.outlearn.com/shortcomings-of-github-oauth-for-multiple-scope-permission-levels-d4e959d2c6fe\n\n---\n\n@syropian, @ashumz, @acroca, @drusellers, @burtonjc, @pierrebeugnot, @rauhryan, @homeyer, @sxgao3001, @marydavis, @nparsons08, @zhangchiqing, @wbeard, @jamie, @diophore, @glenngillen, @troy, @winston do you agree?\n\n---\n\nI love GitHub and I hope this discussion contributes back to their product. There's a lot of potential on this community and I believe we can make a change.\n","author":{"url":"https://github.com/zenorocha","@type":"Person","name":"zenorocha"},"datePublished":"2016-02-11T07:32:10.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":101},"url":"https://github.com/113/dear-github/issues/113"}

route-pattern/_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format)
route-controllervoltron_issues_fragments
route-actionissue_layout
fetch-noncev2:942631b0-7cc5-c406-7638-495473e39158
current-catalog-service-hash81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114
request-id817A:1DD20D:A67424:E0EFD4:6A5A8C53
html-safe-nonce7b6cd5f5464f8bef97991abb52f1f61eb11314dcf632f0bf38928c73bdd1f38d
visitor-payloadeyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiI4MTdBOjFERDIwRDpBNjc0MjQ6RTBFRkQ0OjZBNUE4QzUzIiwidmlzaXRvcl9pZCI6IjE0NzU0MDYzNTk4NTIzODc0MTEiLCJyZWdpb25fZWRnZSI6ImlhZCIsInJlZ2lvbl9yZW5kZXIiOiJpYWQifQ==
visitor-hmac7d65f95be35bff9a8b24e6979a5aaa616b45d9e17d578c9c34fd4d6cc9ba20db
hovercard-subject-tagissue:132907872
github-keyboard-shortcutsrepository,issues,copilot
google-site-verificationApib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I
octolytics-urlhttps://collector.github.com/github/collect
analytics-location///voltron/issues_fragments/issue_layout
fb:app_id1401488693436528
apple-itunes-appapp-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/dear-github/dear-github/113/issue_layout
twitter:imagehttps://opengraph.githubassets.com/03c44e9d2ef3192d783714973084d2e5880d85ad7a0f012f3b8dfecfd848ae95/dear-github/dear-github/issues/113
twitter:cardsummary_large_image
og:imagehttps://opengraph.githubassets.com/03c44e9d2ef3192d783714973084d2e5880d85ad7a0f012f3b8dfecfd848ae95/dear-github/dear-github/issues/113
og:image:altThis is an open letter to @github on behalf of third-party app developers. For a very long time, permission scopes has been a common issue for both users and app developers. These scopes are extrem...
og:image:width1200
og:image:height600
og:site_nameGitHub
og:typeobject
og:author:usernamezenorocha
hostnamegithub.com
expected-hostnamegithub.com
None9989a1a1d89aa5a38a19e5d0c7ee88a8ffde84acde90048990492aae52f235db
turbo-cache-controlno-preview
go-importgithub.com/dear-github/dear-github git https://github.com/dear-github/dear-github.git
octolytics-dimension-user_id16708458
octolytics-dimension-user_logindear-github
octolytics-dimension-repository_id49668250
octolytics-dimension-repository_nwodear-github/dear-github
octolytics-dimension-repository_publictrue
octolytics-dimension-repository_is_forkfalse
octolytics-dimension-repository_network_root_id49668250
octolytics-dimension-repository_network_root_nwodear-github/dear-github
turbo-body-classeslogged-out env-production page-responsive
disable-turbofalse
browser-stats-urlhttps://api.github.com/_private/browser/stats
browser-errors-urlhttps://api.github.com/_private/browser/errors
releaseba6769fbf719c56dbf7bed650ce454dafc5b1528
ui-targetfull
theme-color#1e2327
color-schemelight dark

Links:

Skip to contenthttps://github.com/dear-github/dear-github/issues/113#start-of-content
https://github.com/
Sign in https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fdear-github%2Fdear-github%2Fissues%2F113
GitHub CopilotWrite better code with AIhttps://github.com/features/copilot
GitHub Copilot appDirect agents from issue to mergehttps://github.com/features/ai/github-app
MCP RegistryNewIntegrate external toolshttps://github.com/mcp
ActionsAutomate any workflowhttps://github.com/features/actions
CodespacesInstant dev environmentshttps://github.com/features/codespaces
IssuesPlan and track workhttps://github.com/features/issues
Code ReviewManage code changeshttps://github.com/features/code-review
GitHub Advanced SecurityFind and fix vulnerabilitieshttps://github.com/security/advanced-security
Code securitySecure your code as you buildhttps://github.com/security/advanced-security/code-security
Secret protectionStop leaks before they starthttps://github.com/security/advanced-security/secret-protection
Why GitHubhttps://github.com/why-github
Documentationhttps://docs.github.com
Bloghttps://github.blog
Changeloghttps://github.blog/changelog
Marketplacehttps://github.com/marketplace
View all featureshttps://github.com/features
Enterpriseshttps://github.com/enterprise
Small and medium teamshttps://github.com/team
Startupshttps://github.com/enterprise/startups
Nonprofitshttps://github.com/solutions/industry/nonprofits
App Modernizationhttps://github.com/solutions/use-case/app-modernization
DevSecOpshttps://github.com/solutions/use-case/devsecops
DevOpshttps://github.com/solutions/use-case/devops
CI/CDhttps://github.com/solutions/use-case/ci-cd
View all use caseshttps://github.com/solutions/use-case
Healthcarehttps://github.com/solutions/industry/healthcare
Financial serviceshttps://github.com/solutions/industry/financial-services
Manufacturinghttps://github.com/solutions/industry/manufacturing
Governmenthttps://github.com/solutions/industry/government
View all industrieshttps://github.com/solutions/industry
View all solutionshttps://github.com/solutions
AIhttps://github.com/resources/articles?topic=ai
Software Developmenthttps://github.com/resources/articles?topic=software-development
DevOpshttps://github.com/resources/articles?topic=devops
Securityhttps://github.com/resources/articles?topic=security
View all topicshttps://github.com/resources/articles
Customer storieshttps://github.com/customer-stories
Events & webinarshttps://github.com/resources/events
Ebooks & reportshttps://github.com/resources/whitepapers
Business insightshttps://github.com/solutions/executive-insights
GitHub Skillshttps://skills.github.com
Documentationhttps://docs.github.com
Customer supporthttps://support.github.com
Community forumhttps://github.com/orgs/community/discussions
Trust centerhttps://github.com/trust-center
Partnershttps://github.com/partners
View all resourceshttps://github.com/resources
GitHub SponsorsFund open source developershttps://github.com/open-source/sponsors
Security Labhttps://securitylab.github.com
Maintainer Communityhttps://maintainers.github.com
Acceleratorhttps://github.com/open-source/accelerator
GitHub Starshttps://stars.github.com
Archive Programhttps://archiveprogram.github.com
Topicshttps://github.com/topics
Trendinghttps://github.com/trending
Collectionshttps://github.com/collections
Enterprise platformAI-powered developer platformhttps://github.com/enterprise
GitHub Advanced SecurityEnterprise-grade security featureshttps://github.com/security/advanced-security
Copilot for BusinessEnterprise-grade AI featureshttps://github.com/features/copilot/copilot-business
Premium SupportEnterprise-grade 24/7 supporthttps://github.com/enterprise/premium-support
Pricinghttps://github.com/pricing
Search syntax tipshttps://docs.github.com/search-github/github-code-search/understanding-github-code-search-syntax
documentationhttps://docs.github.com/search-github/github-code-search/understanding-github-code-search-syntax
Sign in https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fdear-github%2Fdear-github%2Fissues%2F113
Sign up https://github.com/signup?ref_cta=Sign+up&ref_loc=header+logged+out&ref_page=%2F%3Cuser-name%3E%2F%3Crepo-name%3E%2Fvoltron%2Fissues_fragments%2Fissue_layout&source=header-repo&source_repo=dear-github%2Fdear-github
Reloadhttps://github.com/dear-github/dear-github/issues/113
Reloadhttps://github.com/dear-github/dear-github/issues/113
Reloadhttps://github.com/dear-github/dear-github/issues/113
Please reload this pagehttps://github.com/dear-github/dear-github/issues/113
dear-github https://github.com/dear-github
dear-githubhttps://github.com/dear-github/dear-github
Notifications https://github.com/login?return_to=%2Fdear-github%2Fdear-github
Fork 116 https://github.com/login?return_to=%2Fdear-github%2Fdear-github
Star 5.2k https://github.com/login?return_to=%2Fdear-github%2Fdear-github
Code https://github.com/dear-github/dear-github
Issues 273 https://github.com/dear-github/dear-github/issues
Pull requests 5 https://github.com/dear-github/dear-github/pulls
Actions https://github.com/dear-github/dear-github/actions
Projects https://github.com/dear-github/dear-github/projects
Security and quality 0 https://github.com/dear-github/dear-github/security
Insights https://github.com/dear-github/dear-github/pulse
Code https://github.com/dear-github/dear-github
Issues https://github.com/dear-github/dear-github/issues
Pull requests https://github.com/dear-github/dear-github/pulls
Actions https://github.com/dear-github/dear-github/actions
Projects https://github.com/dear-github/dear-github/projects
Security and quality https://github.com/dear-github/dear-github/security
Insights https://github.com/dear-github/dear-github/pulse
GitHub's Permission System is Flawedhttps://github.com/dear-github/dear-github/issues/113#top
https://github.com/zenorocha
zenorochahttps://github.com/zenorocha
on Feb 11, 2016https://github.com/dear-github/dear-github/issues/113#issue-132907872
@githubhttps://github.com/github
permission scopeshttps://developer.github.com/v3/oauth/#scopes
GistBoxhttp://gistboxapp.com
https://cloud.githubusercontent.com/assets/398893/12970272/538a35a8-d041-11e5-9332-242d9f5b7da1.png
Wafflehttps://waffle.io/
HuBoardhttps://huboard.com/
ZenHubhttps://www.zenhub.io/
https://cloud.githubusercontent.com/assets/398893/12969874/ae303ce2-d03b-11e5-8540-2075d7fbaa1a.png
DevSpacehttps://devspace.io/
https://cloud.githubusercontent.com/assets/398893/12969880/c9214b22-d03b-11e5-80d9-7691f41b2096.png
https://github.com/ZenHubIO/support/issues/77https://github.com/ZenHubIO/support/issues/77
https://github.com/waffleio/waffle.io/issues/1957https://github.com/waffleio/waffle.io/issues/1957
Access and permissions huboard/huboard#203https://github.com/huboard/huboard/issues/203
Huboard asks for wider permissions than it needs huboard/huboard#468https://github.com/huboard/huboard/issues/468
github permissions astralapp/astral#1https://github.com/astralapp/astral/issues/1
Limit permissions astralapp/astral#11https://github.com/astralapp/astral/issues/11
Login via GitHub prompts to authorize application to access private organization data and modify public organization data mozilla/science.mozilla.org#11https://github.com/mozilla/science.mozilla.org/issues/11
Read-Only OAuth Scope on GitHub, Please? jollygoodcode/jollygoodcode.github.io#6https://github.com/jollygoodcode/jollygoodcode.github.io/issues/6
https://github.com/thoughtbot/hound/issues/925https://github.com/thoughtbot/hound/issues/925
Permissions scoping bkeepers/github-notifications#146https://github.com/bkeepers/github-notifications/issues/146
3rd Party App Permissions - Read and Write Public and Private Repos? holman/ama#635https://github.com/holman/ama/issues/635
Add separate privilege to organization teams for issue management isaacs/github#268https://github.com/isaacs/github/issues/268
Fine grain control over team permissions isaacs/github#311https://github.com/isaacs/github/issues/311
Gist OAuth scope is too permissive isaacs/github#31https://github.com/isaacs/github/issues/31
https://twitter.com/iandees/status/692855774645604359https://twitter.com/iandees/status/692855774645604359
https://twitter.com/jasontrill/status/690813850350854144https://twitter.com/jasontrill/status/690813850350854144
https://twitter.com/omarqureshi/status/655148749019303936https://twitter.com/omarqureshi/status/655148749019303936
https://twitter.com/YAMPST/status/623204972029734914https://twitter.com/YAMPST/status/623204972029734914
https://twitter.com/codingjester/status/613019497549705217https://twitter.com/codingjester/status/613019497549705217
http://blog.waffle.io/updated-permissions/http://blog.waffle.io/updated-permissions/
https://gitter.zendesk.com/hc/en-us/articles/200176672-Authenticating-with-GitHubhttps://gitter.zendesk.com/hc/en-us/articles/200176672-Authenticating-with-GitHub
https://blog.outlearn.com/shortcomings-of-github-oauth-for-multiple-scope-permission-levels-d4e959d2c6fehttps://blog.outlearn.com/shortcomings-of-github-oauth-for-multiple-scope-permission-levels-d4e959d2c6fe
@syropianhttps://github.com/syropian
@ashumzhttps://github.com/ashumz
@acrocahttps://github.com/acroca
@drusellershttps://github.com/drusellers
@burtonjchttps://github.com/burtonjc
@pierrebeugnothttps://github.com/pierrebeugnot
@rauhryanhttps://github.com/rauhryan
@homeyerhttps://github.com/homeyer
@sxgao3001https://github.com/sxgao3001
@marydavishttps://github.com/marydavis
@nparsons08https://github.com/nparsons08
@zhangchiqinghttps://github.com/zhangchiqing
@wbeardhttps://github.com/wbeard
@jamiehttps://github.com/jamie
@glenngillenhttps://github.com/glenngillen
@troyhttps://github.com/troy
@winstonhttps://github.com/winston
https://github.com
Termshttps://docs.github.com/site-policy/github-terms/github-terms-of-service
Privacyhttps://docs.github.com/site-policy/privacy-policies/github-privacy-statement
Securityhttps://github.com/security
Statushttps://www.githubstatus.com/
Communityhttps://github.community/
Docshttps://docs.github.com/
Contacthttps://support.github.com?tags=dotcom-footer

Viewport: width=device-width


URLs of crawlers that visited me.