Determining if a User has Owner permissions of a Organization


#1

I’m building a GitHub app right now and as I’m a new app and not part of the marketplace yet I’m building my own billing system. I would like create certain subscriptions per installation and only allow organization owners to be able to create/modify subscriptions.

For an organization installation what is the best way for a GitHub app to determine if a user is a “owner” of the organization that a installation belongs to?

If that is not possible, what is the best practice when it comes to access control around subscriptions for a installation?


#2

Could you use https://developer.github.com/v3/orgs/members/#get-organization-membership?


#3

Tried that I’m getting s “Resource not accessible by integration” response. Not sure if that endpoint is not accessible to GitHub apps at all or if its a permissions issue. I do have “Organizations Members” set a “Read Only” for my app. I am using the user’s OAuth token.


#4

We’re in the middle of an audit of all the API endpoints and their availability to GitHub Apps, and that endpoint is one of the ones we need to enable. I can’t give you an exact timeline, but we’re in the midst of doing the work and should be able to give you a better update soon.


#5

I just tried it with my app’s key, and it worked. My bad. It is a bit confusing, as I figured determining the resources accessible for a user should be from the user’s key not the app’s.

Makes sense I guess, since you provide the org and the user.


#6

Ah! The accessibility is based on the permissions level of the App, not of the user you’re checking. :+1: