[JIRA] [github-plugin] (JENKINS-26145) Narrow down github auth scope for user logins
Adam Heinermann updated JENKINS-26145 Narrow down github auth scope for user logins To be honest if this could have higher than critical priority that would be great. Change By: Adam Heinermann (27/Apr/15 1:41 AM) Attachment: Screenshotfrom2015-04-2621-33-52.png This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira -- You received this message because you are subscribed to the Google Groups Jenkins Issues group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [github-plugin] (JENKINS-26145) Narrow down github auth scope for user logins
Pedro Algarvio commented on JENKINS-26145 Narrow down github auth scope for user logins It's not like you give access to your account to a third party, but to software you run yourself and can read the source code of. Therefore I don't see how this can be classified as anything more severe than Minor. Let's consider the following... Your company has a Jenkins installation using this plugin. This plugin requests access to ALL repositories, including your private repositories, not just your company's private repositories. Do you really think that your company should have access to your private repositories?! After reading the source code I think that the permissions were broaden to support the Github Commiter Authorization Strategy. If this is the case, I think that only when using Github Commiter Authorization Strategy the permissions should be broaden. Of course, preferably, you should be able to tell the plugin what permissions you want to ask from your users, and the plugin should warn if any of it's enabled features require more permissions... This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira -- You received this message because you are subscribed to the Google Groups Jenkins Issues group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [github-plugin] (JENKINS-26145) Narrow down github auth scope for user logins
Daniel Beck commented on JENKINS-26145 Narrow down github auth scope for user logins Given that the source code of the plugin is available, isn't this more cosmetic than anything else? This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira -- You received this message because you are subscribed to the Google Groups Jenkins Issues group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [github-plugin] (JENKINS-26145) Narrow down github auth scope for user logins
Daniel Beck commented on JENKINS-26145 Narrow down github auth scope for user logins Sure, the plugin should restrict itself to the minimum. But I meant that the impact of any additional permissions can be known with certainty in this case: It's not like you give access to your account to a third party, but to software you run yourself and can read the source code of. Therefore I don't see how this can be classified as anything more severe than Minor. This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira -- You received this message because you are subscribed to the Google Groups Jenkins Issues group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [github-plugin] (JENKINS-26145) Narrow down github auth scope for user logins
norman richards commented on JENKINS-26145 Narrow down github auth scope for user logins Given that we want this plugin to work for a wide variety of users, (my assumption) shouldn't the default scopes be more reasonable? I'd suggest they should be configurable so that a jenkins installation can chose the permissions appropriate for it's users. This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira -- You received this message because you are subscribed to the Google Groups Jenkins Issues group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [github-plugin] (JENKINS-26145) Narrow down github auth scope for user logins
norman richards commented on JENKINS-26145 Narrow down github auth scope for user logins Yeah, this is pretty important. You can't expect users to give full access to their account just to access jenkins. This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira -- You received this message because you are subscribed to the Google Groups Jenkins Issues group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [github-plugin] (JENKINS-26145) Narrow down github auth scope for user logins
Ben Ripkens commented on JENKINS-26145 Narrow down github auth scope for user logins +1 for this. The plugin shouldn't need this many privileges for authentication. Possible scopes are listed here: https://developer.github.com/v3/oauth/#scopes This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira -- You received this message because you are subscribed to the Google Groups Jenkins Issues group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [github-plugin] (JENKINS-26145) Narrow down github auth scope for user logins
Pedro Algarvio created JENKINS-26145 Narrow down github auth scope for user logins Issue Type: Bug Assignee: Unassigned Components: github-plugin Created: 17/Dec/14 9:21 PM Description: The latest version of the plugin is asking for too much permissions when the users are logging into a Jenkins instance using GitHub OAuth. I agree that the plugin needs this many permissions to access the various parts of a github's repository, but I believe the scope for user authentication can be narrowed down to username/email address. I believe it's just a matter of using the right scope for regular user authentication instead of the more broader scope that the plugin needs for "administrative" tasks. Please see https://github.com/saltstack/salt-jenkins/issues/61 for additional information of the permissions being asked to a regular user. Project: Jenkins Priority: Critical Reporter: Pedro Algarvio This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira -- You received this message because you are subscribed to the Google Groups Jenkins Issues group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.