Include the user's role when listing installations for a user


#1

To get a list of resources both an app and a user can access, the preferred approach is to use this endpoint.

That’s great, but it doesn’t give details of what the user’s permissions are over the shared resources. To get that, currently an app needs to ask for read permissions over the Organization members resource, which provides lots of additional permissions the app probably doesn’t need (e.g., enumerating all members of the organisation).

My specific use case is displaying a settings screen to a logged in user only if they are an account admin. I’d love the “List installations for user” endpoint to return details of the user’s role over the shared resource, probably just as a "user_role": "admin" attribute on each installation. (Alternatively, a filter by role on the “List installations for user” endpojnt would work.)


#2

Thanks for the request and use case, @greysteil, and for bringing to light a place where you feel you have to request more access than you actually need.

As of right now, the permission you mentioned align with our recommended workflow for your use case. We believe the organization membership information you’re requesting should require some level of permission (i.e. we don’t feel comfortable giving it “automatically”), and we currently don’t have plans to allow a more granular way to access it.


#3

Drat, that’s disappointing, but good to have clarity so quickly.

Just to be 100% certain we’re on the same page, the “List installations for user” endpoint is only accessible with an app’s OAuth access token for a given user, and the user will have seen this screen to authorise it:

In my mind the line “Determine what resources both you and Dependabot can access” could reasonably be considered to include the level of access you have over those resources. I appreciate it’s a little bit of a stretch, but without that interpretation our only way of avoiding permission escalation through an app (for tasks only an admin would normally be able to undertake) is to ask the organisation for full membership details at signup.