Potential Bug: Protected Branches from V4 are empty when V3 is not


#1

For this example, I am using a token that has write access to some_owner/some_repo. When I do this with a token that has admin access to the repo, V4 returns the expected results.

V4

query { 
	repository(name: "some_repo", owner: "some_owner") {
    protectedBranches(first:100) {
      edges {
        node {
          name,
          hasRequiredStatusChecks
        }
      }
    }
  }
}
{
  "data": {
    "repository": {
      "protectedBranches": {
        "edges": []
      }
    }
  }
}

V3

curl -X GET -H 'Accept: application/vnd.github.loki-preview+json' "https://api.github.com/repos/some_owner/some_repo/branches?protected=true&access_token=xxxxxxxx"
[
  {
    "name": "some_branch",
    "commit": {
      "sha": "deadbeef",
      "url": "some_url"
    },
    "protected": true,
    "protection": {
      "enabled": true,
      "required_status_checks": {
        "enforcement_level": "off",
        "contexts": [

        ]
      }
    },
    "protection_url": "another_url"
  }
]

#2

Good find, @mceldeen!

Just to clarify, when you say “V4 returns the expected results”, did you mean that “V4 does not return the expected results”?

After taking a quick look, I think that the V4 API might be doing the correct thing here, and V3 is incorrect. If I execute that query against a repository that I do not have admin privileges of, I do not get anything back, but I do get results from the REST API.

I see that you had mentioned that the token has admin access, do you mean it was created with repo scope? I’m curious if the user who created the token is listed as an owner of the repository?

I’ve added an internal issue for us to take a deeper look. I suspect this will result in us tightening up the permissions for the REST API.


#3

@bswinnerton - sorry about the ambiguity. The admin token has repo scope. I don’t remember if the user was an owner of the repo or not. What I meant by “expected results” comes from our use case. We are trying to determine, through the api, if a pull request is ready to be tested (and a tester is not necessarily a repo admin). To determine that, we are checking merge-ability status, reviews, and status checks in light of the relevant protected branch requirements.

Based on this use case, we would prefer if a user with write access on a repository could view the protected branch requirements, which affect what information they see on the GitHub pull request’s page. Perhaps there is a better approach?


#4

@bswinnerton I work with @mceldeen and was wondering if you had any updates about this being included in the v4 api or recommendations on how to implement our feature. We’d really like to move forward with the work we’re doing.