Integration Permission update


#1

Hi all, I just went to a change of permission for one of my integration, and I have a couple of comments.
Otherwise I must say it was painless, and really appreciate your work.

  1. My Integration is activated on the bunch of orgs; is it possible to get single groupped-email instead of 1 per org when changing permission ?
    Not critical but would be nice.

  2. The message of the email makes it hard to figure out which organization you receive the email from:

    You can accept or ignore {Integration}'s update request.

    To view the update please click here {URL}

Can the first sentence be change to add the {org} or {org/repo} names ?

Also the {URL} become a 404 once one admin has clicked which is extremely confusing. Would be good to have instead a page that say “New permissions were review and accepted by an admin of your team”, even if this page is here only for a day or two.

  1. I updated my app to request strictly less permissions. When this is the case, I expect my users to be informed for sure; though they should likely not have to agree everywhere. It was annoying for me to agree on all my orgs; so I can’t imagine for my users (hopefully I only have a few). It also strongly incentivize me to not update my app permissions next time I require less, which is not good for security, and I know you care about security.

Otherwise changing permissions was relatively easy ! Thanks again, only hopping to make it better !


#2

Thanks for the feedback @Carreau, we hear you loud and clear.

  1. Each organization with a GitHub App installed must agree to new permissions separately. In most cases organizations with Apps installed aren’t owned and administered by the App owner, with sending out individual emails to those organization admins being the only option.

That said, I understand how this can be frustrating and will pass this feedback on to the team for consideration.

  1. Great feedback here, too; I will also bring this up to the team.

  2. Agreed, downgrading permissions should not require explicit acceptance from organization owners. We have plans to handle this exact scenario.

Thanks again for the feedback!

Cheers,
Matt


#3

Thanks @mtodd for the prompt response ! Completely understandable for 1), and agreed it is an edge case as I am on both side of the integration. Still I think it also affect admins not app owners.

Let say Travis-Ci sudently asked to increase its permissions I would receive 26 emails ! (and I know people belonging to and even larger number of organisations).

I can see from a code perspective how this could be annoying but in the case you figure out how to batch these notifications per admin that would be great, I would imagine something like the following as an email:

The integration {{integration}} requested new permission, 
this affects the following organization you are part of:
 {%for (org, link) in to_update%}
     {{org}} {{link}}

The other thing I see is this page:
https://github.com/apps/meeseeksdev/installations/new which list for a single admin all the organisation they can install an Integration.

,

So my guess is that your fantastic team should be able to generate a single page that list for a single admin all the organisation on which they can update these new permissions. If you excuse my poor design skills:

Just hoping that may clarify what I was thinking, but again perfectly understandable that’s a 1% use case and it’s not everyday there is a change in permissions, so it may not be worth it.

Thanks for 2), and awesome for 3) ! You guys are always ahead !