Questionable permission level

[shaedrich]

What do you need that excessive permissions for? I thought, you just need to read from a simple gist?

[thomasdavis]

Thanks for the report. It should only need;

• read and write public gist
• read user profile

The current permissions are set here -> https://github.com/jsonresume/jsonresume.org/blob/master/apps/registry/auth.js#L12

I will check it out later if no one else knows how to reduce those permissions

[thomasdavis]

Just need to change it to read:user for read only user.

But I don't think it's possible to scope it to public gist only

[shaedrich]

that seems to be included as the default:

See: https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/scopes-for-oauth-apps#available-scopes

[thomasdavis]

Yeah but it doesn't support writing gist which is needed for the editor

[shaedrich]

Ah, okay. You are right. This would need the gist permission then

[thomasdavis]

I've updated it to just read user profile in this commit 8e5b9dc

Will keep this open for a little while to see if anyone has any good ideas to let people keep their gists private.

[shaedrich]

Awesome! Thanks 👍🏻