Require less permissions for Zappr about zappr HOT 3 CLOSED

I agree with this ... I don't really feel comfortable with giving some application write access to all my repositories, or admin access to hooks (for all my repositories). (Even if that application is hosted by Zalando, which I know is trustworthy.)

It should be possible to request the permissions just for those repositories for which they are needed (I'm not installing zappr for all my private repos, just some Zalando ones), and just for the time it is needed. (The admin permissions are only needed while installing/uninstalling, right?)

Do we really need write access to the repo to get the list of contributors? Could I remove that permission when not using this feature in my .zappr.yaml, and not using the branch creation feature? (I don't really see this branch creation thing as valuable – not every issue needs a branch, and often those branches should have a different name anyways, or will be on some forked repository.)

from zappr.

It should be possible to request the permissions just for those repositories for which they are needed

Yeah, but the Github API doesn't work that way. Either we get access to all public repos or all public and private repos.

Could I remove that permission when not using this feature in my .zappr.yaml

Yes, that would work.

The main obstacle is that it would take some work to get the UX of all this right.

from zappr.

It should be possible to request the permissions just for those repositories for which they are needed

Yeah, but the Github API doesn't work that way. Either we get access to all public repos or all public and private repos.

Hmm, so Github has a too limited permission model here :-(

(I did have a look to find if there is some public feature request tracker for Github, but didn't find any.)

from zappr.