Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Clarify permissions attached to per-repository API keys #34

Open
jcushman opened this issue Dec 17, 2024 · 0 comments
Open

Clarify permissions attached to per-repository API keys #34

jcushman opened this issue Dec 17, 2024 · 0 comments
Labels
proposed feature

Comments

@jcushman
Copy link

API keys look like they are created per-repository, but really they are created per-user. It would be good (one way or another) for the interface and the permissions attached to keys to match.

For example, here is a new repository with no keys:

image

This repository can still be written to, because keys created for other repositories are able to write to it.

And, even more unintuitively, keys created for a repo belonging to a user can be used to write to another repo belonging to an organization they're part of.

I think it's a good idea for permissions attached to keys not to be surprising, so I would update the interface to match the intent:

  • If the intent is for a user to have one or more keys they use for all their repositories, I would manage keys on a user-level page instead of a repo-level page, and just have the Manage Repo page link to that.
  • If the intent is to have repo-level keys, I would have them not have permissions for other repos.

I didn't test how this works for multiple users of an org repo, but I would figure out something for that too: can all users see the same keys, or are they per-user?
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
proposed feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jcushman