Adding an integration when not an admin


#1

Hi GitHub crew,

We’ve been using GitHub integrations in production at percy.io for some months now, and generally it’s working great. We’re looking forward to them becoming available for GitHub for Enterprise too. Thank you!

One little bit of friction we’ve noticed is when a senior person in our customer’s organization tries to add the integration, they don’t see their organization in the list of organizations they can install Percy in. This is perhaps because someone else setup the organization, and this person only has write access and was never granted admin access, as an oversight.

This causes two problems.

  1. Confusion about why their desired org is not in the list. Perhaps a little note under the list saying they need to be an admin would help with this.

  2. A small amount of hoop jumping to become an admin (one company had their actual admin on leave for a week when trying to setup), and then come back to add the integration. If there was a safe way for people with write access to add integrations that request rights that are a subset of their own access, this could perhaps be helpful.

Over all though, we’re very happy with the integrations. Thank you!


Why can't repository admins install Integrations in their repository?
Why can't repository admins install Integrations in their repository?
#2

Thanks for the feedback on this process @timhaines.

Confusion about why their desired org is not in the list. Perhaps a little note under the list saying they need to be an admin would help with this.

I agree that’s a confusing experience. We intend to make this process clearer so that Orgs aren’t just not showing in the list. Further, we plan to implement functionality for a non-admin to “Request to install on this Integration on this Organization” which will notify the org admin to actually approve/perform the installation.

If there was a safe way for people with write access to add integrations that request rights that are a subset of their own access, this could perhaps be helpful.

While we don’t currently have plans to allow non-admins to install Integrations outside of the request process I mentioned, I’ve made a note of this request as for us to consider in the future as we evolve this funcionality.


#3

Thanks @jmilas! Prompting non-admins to “Request to install on this Integration on this Organization” sounds perfect.

Tim


#4

We’ve been testing our integration with several users and encountered this issue too. Having a “request to install” feature would be really helpful. We’d also be happy if non-admins could install integrations to repos they have admin or write access to.

Additionally, it would be great the user could be reminded who the admins are when they request the installation. In larger organisations we’ve spoken to, people rarely seem to know who the admins are, which is a blocker to getting the installation set up. Even if a request is sent out to a team of admins, getting approval is probably going to require an out-of-band conversation between the engineer requesting the installation and one of the admins. Showing a list of people to go nag would make this much smoother :slight_smile:

Currently we’re getting around this with a standard OAuth integration that lists a user’s orgs and org admins, but we’d like to move over to the newly-released integrations OAuth feature.

Thanks, and nice work on shipping the recent updates to integrations!


#5

Thanks for this request. We’ve also been discussing the option to allow repo admins to do this. We’ll update here is this is something we implement.


#6

Update on part of this conversation - users with admin access to a repository can now install on it. Hope that helps your developments!


#7

If the installation already exists, I get a 404 when I try to “Configure” it.


#8

Hey team,

I think I’ve got a bit more detail on the but @notriddle mentioned above. I’ll walk you through the full flow in our app, before speculating exactly where the problem is.

One of our users, Harry Maclean, has access to installations of our app (Dependabot) on his personal account and on his work account. We know this by hitting https://developer.github.com/v3/apps/#list-installations-for-user, so we serve him a list of accounts he can switch between:

When he views as GoCardless (his work account) and wants to add some additional repos to the installation. He’s an admin of those repos, but not of the GoCardless organisation. We serve him a link to configure his installation: https://github.com/organizations/gocardless/settings/installations/23050

When he clicks that link, he gets a 404 (as do I, but for me that’s correct - I don’t have permission).

My guess is that this is a permissions issue on the GitHub side - Harry would have been able to install our app to his work account, but when it’s already linked you’re checking permissions in a different way, and he can’t “configure” the add to add a new repo (of which he is an admin).


#9

Hi @notriddle @greysteil :wave:. The reason why you’re seeing a 404 is that you’re hitting the URL for the installation’s settings. The installation’s settings are currently accessible only by users with admin access to the installation target, which in this case are only organization owners.

It’s true that non-owners who have admin access to some repositories in the organization would be able to install the integration on those repositories, but that’s a bit different than giving them access to the page for the settings of the installation as a whole. We think it would be good to allow members with admin access to some repositories to reconfigure the installation but only the parts they have permissions for, so it would probably need to be a different page/view than the current installation settings (since that page would currently allow them to do things they don’t have permission for). We have an issue open internally to explore this, but I can’t promise when changes might be made. We’ll followup here as soon as there’s any news, though.

Let me know if I misunderstood anything or if you have any other thoughts/feedback on this. :bow:


#10

Hey @izuzak. Thanks for the update.

Are you guys aware that GitHub serves the same link when a user goes to install an app, has admin rights on a repo for an organisation that they’re not an admin of, but the organisation already has an installation.

Here’s an example from my personal account. Clicking through to install Dependabot at https://github.com/apps/dependabot/installations/new I get

If I click the hvssle link (I’m a maintainer of one of their gems, which I’ve already added to Dependabot, but I don’t work for Hassle) I get a 404, with the URL https://github.com/organizations/hvssle/settings/installations/26017.

The above definitely feels like a bug to me, and it’s problematic functionality-wise. You may already have the below issues on your internal tracker, but consider:

  1. I’m a user and add an installation to a repo I’m not an admin of. I then want to remove the installation, or to add another repo I’m an admin of. No can do. Snookered. Have to go get an admin.
  2. I’m an app owner and want to help users add new repos to their installation, if they can’t see the one they’re looking for. I don’t have any way of detecting what permissions the current user has (org admin or not). The best I can do is direct them to the general “Install Dependabot” screen, where any non-admins are going to get 404-ed on when trying to configure the account they came from (current case).

A quick fix for the above would be to show any configure links that the user doesn’t have access to as greyed out on the “Install” screen, which a tooltip suggesting they speak to an admin. That improves the problem in (2) quite a bit, but I still think the flow in (1) is pretty odd…


Why can't repository admins install Integrations in their repository?
#11

@greysteil Thanks for sharing your thoughts – I’ll make sure that’s included in the internal issue we have for this. As soon as there are any updates – we’ll follow up here.


#12

@izuzak do we have any updates here? I am facing the similar problem as discussed in this thread above.

We have an app which is installed on the organization and eventually few repos are configured to have this app. Now as a repo owner, not having admin access to org in which my repo exists, I want to uninstall the app which have come from my org installation but when I hit Configure button it lands me onto 404 page.

As requested above, repo owner should be allowed to uninstall the existing app. Also, one should be able to request for an app which is installed on org but not on repo.