Why do I need to give write permission if I want to import from GitHub?


#1

It’s not that I wouldn’t trust you guys :wink: It just doesn’t feel very… necessary? Unnecessarily unsafe. :confused: Am I overlooking something?


#2

That’s the permission level on GitHub we need to do the import, they’re not as fine-grained as you might expect.


#3

Hey Gareth, thank you for the reply. However, I’m sorry, I still don’t get it. :confused: I’d appreciate it, if you could elaborate a little bit. In which way am I mistaken if I say git clone https://github.com/nodejs/node.git or wget https://github.com/nodejs/node/archive/master.zip would do without any permissions at all? (Suppose you’d want to import the Node.js JavaScript runtime which doesn’t make sense, I couldn’t think of a better GitHub example repository right now.) Thank you :slight_smile:


#4

Hi @priotuuo,

you’re right, in theory we don’t strictly need write permission for GitHub import of public projects, but we didn’t want to provide too many complicated options for users. If it is a security concern for you, you can use the “import link”: https://glitch.com/edit/#!/import/github/<user>/<repo>, which should work for public repositories without any write permission :slight_smile:

As for the UI, unfortunately, as @gareth said, GitHub doesn’t provide fine-grained permissions, so we opted for a “single click” experience for users for interacting with GitHub. It’s not super-safe, but it’s the best compromise. You can always revoke your permissions, by the way:

48


#5

Yes, you’re right @etamponi. Using https://api.glitch.com/project/githubImport without granted write permission to my GitHub account works, too. I should have just tried that… Sorry :wink: But thank you!

I’m not sure how that “Revoke repo access” link is supposed to work, but for me it didn’t revoke the write permission on GitHub. I had to go to my GitHub “Authorized OAuth Apps” settings and revoke Glitch completely to revoke the write permission. (And connect it to Glitch via login, again - without write permissions.) Maybe GitHub doesn’t allow revoking of single additionally added permissions once they’ve been granted?


#6

:thinking: thanks for the highlight, we’ll look at the “Revoke repo access” behavior again to make sure we are actually clearing the permissions correctly :slight_smile: