drone.io requires full access to personal user data and read/write to private repos

Created on 11 May 2014 · 4Comments · Source: drone/drone

Dear drone.io team,

I just tried to link a single, public github repo to drone.io, but your application requires access to way more information than is needed. Why do you need access to _all_ my personal user data as well as read and write access to _all_ my repos (including private ones)?

Kind regards,
Arne

Source

arne-cl

👍1

Most helpful comment

I just tried again after a few months and still got the message:

This application will be able to read and write all public and private repository data. This includes the following:

Code
Issues
Pull requests
Wikis
Settings
Webhooks and services
Deploy keys

I got scared and ran away again. @bradrydzewski do you know when/if this will change?

kenden on 28 Jan 2016

👍3

All 4 comments

the drone.io website is an older, completely different codebase than this open source version. This is not an issue in the open source version: https://github.com/drone/drone/blob/master/pkg/handler/auth.go#L63

the open source version will eventually power drone.io, but the code is not yet ready for production use.

bradrydzewski on 11 May 2014

I just tried again after a few months and still got the message:

This application will be able to read and write all public and private repository data. This includes the following:

Code
Issues
Pull requests
Wikis
Settings
Webhooks and services
Deploy keys

I got scared and ran away again. @bradrydzewski do you know when/if this will change?

kenden on 28 Jan 2016

👍3

This application will be able to read and write all public and private repository data.

@kenden believe it or not drone is using the absolute minimum set of permissions available. This is because GitHub doesn't offer granular permissions. For example, we want access to private repositories so we have to request the repos scope which grants write access to all private repositories. There is no such thing as a readonly scope for private repositories.

So really our hands are tied here. GitHub has shown no indication of changing this any time soon. This is why we are pushing people to open source / on premise installs for drone, and putting a lot of time and effort into making this open source project easy to setup and run.

So the official stance is, if you don't like it (and I certinaly don't blame you) download and run it on your own trusted hardware.

bradrydzewski on 28 Jan 2016

@bradrydzewski Is there a way for drone.io to have full access to all private and public repositories of the organisation that runs the drone.io instance and not have full access to all private and public repositories of the users of such instance?

Scenario: my company wants to set up a CI with drone.io for all its projects, we need to hire a contractor to help us, we what to give him access to our CI to look at its builds and push things in production, right now AFAIK drone.io will ask him to give us full access of his private and public repositories

Is there a way to avoid that?