Skip to content

Use read:org scope instead of user for accessing orgs #73

New issue
New issue
Closed
Closed
Use read:org scope instead of user for accessing orgs#73
Labels
bugSomething isn't workingenhancementNew feature or request
@simonw

Description

@simonw
simonw
opened on Feb 25, 2021

datasette-auth-github/datasette_auth_github/views.py

Lines 19 to 24 in 31405aa

if config.get("load_teams"):
scope = "read:org"
elif config.get("load_orgs"):
scope = "user"
else:
scope = "user:email"

user scope is actually quite frightening - it allows write access to the user profile! read:org should work just as well here.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingenhancementNew feature or request

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions