> On Dec 14, 2018, at 9:21 AM, Joan Touzet <woh...@apache.org> wrote:
>
> Allen Wittenauer wrote:
>> I think part of the basic problem here is that Github’s view of permissions
>> is really awful. It is super super dumb that accounts have to have
>> admin-level privileges for repos to use the API to do some basic things that
>> can otherwise be gleaned by just scraping the user-facing website. If
>> anyone from Github is here, I’d love to have a chat. ;)
>
> FYI I've previously been told we can't use addons to GitHub to improve
> the issue management workflow (like https://waffle.io/) precisely
> because GitHub's permissions model is so poor, allowing an external
> tool to move tickets around requires giving it effectively commit
> access, which is forbidden to third parties.
Putting my thinking cap on, I wonder if the workaround here is to have
a proxy for the REST API that forwards the ’safe’ calls but disallows others.
Maybe one already exists? I totally get the security and potentially legal
ramifications of having accounts that can push. But it sure seems like this
problem is solvable with a bit of elbow grease.
