Shouldn't "list org members" + admin filter throw if an app doesn't have members:read permission on the target org? #120267
Unanswered
jeffwilcox
asked this question in
API and Webhooks
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Select Topic Area
Bug
Body
I was having a bit of a wild debugging journey and just wanted to share feedback and perhaps this is a bug;
I am calling the "list organization members" API (https://docs.github.com/en/rest/orgs/members?apiVersion=2022-11-28#list-organization-members) with the "role: admin" parameter, to filter members to just organization owners.
To return concealed members and/or owners, your GitHub App or token needs to have
members:read
permission, as documented.The API can also return just public information. The specific words are "This endpoint can be used without authentication or the aforementioned permissions if only public resources are requested."
Shouldn't there be some kind of validation or error when you are including a filter that requires that permission, and you do not have it? Instead, the public data is returned.
As an example, as someone who does not work at Google, I can call this REST API:
The response I get back:
x-accepted-github-permissions
value beingmembers=read
6B80:2D7BD1:76BCA:92190:6622B69D
... shouldn't something have thrown, i.e. an HTTP 4xx?
The real reason this was a painful debugging experience is that it turns out my GitHub App, installed on my own GitHub org, did not have the
members: read
permission, and I didn't realize that since I was getting HTTP 200's back (with a very long list of not-owners) when using the filter on org admins/owners.Beta Was this translation helpful? Give feedback.
All reactions