False positive for "Community PR" tag about qiskit-bot HOT 6 CLOSED

Whatever the permission is, I think the bot already has it - I tried using its API key to query the orgs/Qiskit/membership/jakelishman end point, and it gives me the right data.

from qiskit-bot.

Heh, github sure makes it hard to find the potential values for the author_association field. The closest I've found is: https://docs.github.com/en/graphql/reference/enums#commentauthorassociation

Based on the potential values there, I think @jakelishman is correct and the best path forward here is to query the github api to ask for the list of organization membership explicitly and verify against that

from qiskit-bot.

Actually, I think to be reliable, we'll need to use an API key with admin:org and permissions to read the private members of Qiskit, then get the information from the Qiskit org API call, rather than the per-user one. For example, my membership is apparently private (I don't remember choosing, tbh), so I don't appear in the list if you use my user's organisations call.

from qiskit-bot.

Hmm, I'm a bit concerned if that's the case. I've very specifically been keeping the bots permissions limited. I'd worry about giving it org admin permissions since it opens up the account to a lot more. I'd only really feel comfortable with that level of permission for the the bot if it had 2fa and not a shared account. We might want to rethink this feature if the github api doesn't reliably provide an api method to detect organization membership reliably without special permissions.

from qiskit-bot.

After a bit more investigation, I found that the author_association data to the PR does actually see me as a member, but only if the data is generated using the bot's API key (i.e. with the right permission level). The bot is getting fed only public information in its hooks, which is why it previously saw me as a contributor. I've since made my membership of the Qiskit org public, and now I appear as a member, even without authorisation.

The right solution here is probably to either make sure the bot is getting the full data in its webhooks, or using the repo object (which is created with a privileged API key) to query the membership status, as I mentioned above.

from qiskit-bot.

I don't know if the webhook interface lets us get data as an authorized user. It basically is just send raw http requests with a json body to an endpoint. There is minimal auth in the form of a shared secret but that's independent of user credentials. I guess we'll just have to update the code to query the rest api which does use the bot's key. That should hopefully be sufficient

from qiskit-bot.