Hacker News new | ask | show | jobs
by megamorf 1319 days ago
Unfortunately, it leaves a lot to be desired. I've actually had to do a fair bit of GH access reporting myself recently and I can recommend the GraphQL API as it allows you to properly list direct and indirect permissions on repositories (org + team + direct collaborator) that are alot harder to do with the REST API due to its inconsistent permissions model.
3 comments
LukeShu 1319 days ago
IME, the problem with the GraphQL API is that it does a poor job of indicating where permissions came from, and you have to fall back to bad heuristics.

For example, if team="company" has "READ", and team="company/dev" has "WRITE", and Bob is in team="company/dev" but not team="company", then Bob will have both "READ" and "WRITE" because of his membership in team="company/dev"; the API will give no indication that the "READ" indirectly came from team="company".

Also, the permissions that the PAT needs in order for GraphQL to even list those things is excessive.

Anyway, here's my audit script for such things: https://github.com/datawire/collaborators

link
megamorf 1319 days ago
That's actually incorrect. Check out this query: https://gist.github.com/megamorf/9c105ac9cc13a93b5449a7b683d...

I have added two output examples. One for when you only want to find users that have been directly assigned to a repo (DIRECT) and one that shows how their roles and team memberships decide what permissions they have on a repo.

link
LukeShu 1319 days ago
If they've fixed it in the last 5 months, then hooray.
link
sigio 1319 days ago
Having write already implies that you have read, it't not something related to being in a team with read, it's just that write always gives you read. The permission levels are pull(read), triage(read+issues/pr's), push(read+write), maintain, and admin
link
LukeShu 1319 days ago
> Having write already implies that you have read

Yes, but if it's just being implied then it won't list "READ" separately in the "permissionSources", it will just list "WRITE".

link
pquerna 1319 days ago
i've also been working on a similar tool -- working towards open sourcing it too. would you be interested in taking a look? paul.quenra at conductorone com
link
kataklasm 1319 days ago
I believe you might have a typo in your mail? Just making sure you're not missing out on something useful :)
link
pquerna 1319 days ago
thank you -- can't edit it anymore, but paul.querna (spelled my own name wrong)
link
benfrancom 1319 days ago
Nice, do you have anything you can share?
link