It’s not that I wouldn’t trust you guys It just doesn’t feel very… necessary? Unnecessarily unsafe. Am I overlooking something?
That’s the permission level on GitHub we need to do the import, they’re not as fine-grained as you might expect.
Hey Gareth, thank you for the reply. However, I’m sorry, I still don’t get it. I’d appreciate it, if you could elaborate a little bit. In which way am I mistaken if I say git clone https://github.com/nodejs/node.git
or wget https://github.com/nodejs/node/archive/master.zip
would do without any permissions at all? (Suppose you’d want to import the Node.js JavaScript runtime which doesn’t make sense, I couldn’t think of a better GitHub example repository right now.) Thank you
Hi @priotuuo,
you’re right, in theory we don’t strictly need write permission for GitHub import of public projects, but we didn’t want to provide too many complicated options for users. If it is a security concern for you, you can use the “import link”: https://glitch.com/edit/#!/import/github/<user>/<repo>
, which should work for public repositories without any write permission
As for the UI, unfortunately, as @gareth said, GitHub doesn’t provide fine-grained permissions, so we opted for a “single click” experience for users for interacting with GitHub. It’s not super-safe, but it’s the best compromise. You can always revoke your permissions, by the way:
Yes, you’re right @etamponi. Using https://api.glitch.com/project/githubImport
without granted write permission to my GitHub account works, too. I should have just tried that… Sorry But thank you!
I’m not sure how that “Revoke repo access” link is supposed to work, but for me it didn’t revoke the write permission on GitHub. I had to go to my GitHub “Authorized OAuth Apps” settings and revoke Glitch completely to revoke the write permission. (And connect it to Glitch via login, again - without write permissions.) Maybe GitHub doesn’t allow revoking of single additionally added permissions once they’ve been granted?
thanks for the highlight, we’ll look at the “Revoke repo access” behavior again to make sure we are actually clearing the permissions correctly