Shouldn't "list org members" + admin filter throw if an app doesn't have members:read permission on the target org?

[jeffwilcox]

Select Topic Area

Bug

Body

I was having a bit of a wild debugging journey and just wanted to share feedback and perhaps this is a bug;

I am calling the "list organization members" API (https://docs.github.com/en/rest/orgs/members?apiVersion=2022-11-28#list-organization-members) with the "role: admin" parameter, to filter members to just organization owners.

To return concealed members and/or owners, your GitHub App or token needs to have members:read permission, as documented.

The API can also return just public information. The specific words are "This endpoint can be used without authentication or the aforementioned permissions if only public resources are requested."

Shouldn't there be some kind of validation or error when you are including a filter that requires that permission, and you do not have it? Instead, the public data is returned.

As an example, as someone who does not work at Google, I can call this REST API:

• https://api.github.com/orgs/google/members?per_page=100&role=admin&page=1
• using GitHub App authentication of an app not installed in that org

The response I get back:

• is an HTTP 200
• with a full page of the public members of that GitHub org
• with the header x-accepted-github-permissions value being members=read
• request ID 6B80:2D7BD1:76BCA:92190:6622B69D

... shouldn't something have thrown, i.e. an HTTP 4xx?

The real reason this was a painful debugging experience is that it turns out my GitHub App, installed on my own GitHub org, did not have the members: read permission, and I didn't realize that since I was getting HTTP 200's back (with a very long list of not-owners) when using the filter on org admins/owners.