Cannot get public information from AddedToProjectEvent events

Hello everyone!

Recently I changed my code to use Issue.timelineItems since Issue.timeline is deprecated.

However, I’m getting FORBIDDEN errors from AddedToProjectEvent due to access restrictions on the repositories.
For example, I cannot get the timeline events from the following issue because the last event breaks my application.

The point is that the project card pointed by these events are already public and its information is available on the github website. Why is the same information protected/blocked on GraphQL API?

:wave: hey there, @hsborges!

I ran this query to obtain that example issue’s timeline items:

query {
  repository(owner: "tensorflow", name: "tensorflow") {
    issue(number: 35817) {
      timelineItems(first: 20) {
        totalCount
        edges {
          node {
            __typename
          }
        }
      }
    }
  }
}
Result set
{
  "data": {
    "repository": {
      "issue": {
        "timelineItems": {
          "totalCount": 14,
          "edges": [
            {
              "node": {
                "__typename": "AssignedEvent"
              }
            },
            {
              "node": {
                "__typename": "LabeledEvent"
              }
            },
            {
              "node": {
                "__typename": "LabeledEvent"
              }
            },
            {
              "node": {
                "__typename": "IssueComment"
              }
            },
            {
              "node": {
                "__typename": "UnassignedEvent"
              }
            },
            {
              "node": {
                "__typename": "AssignedEvent"
              }
            },
            {
              "node": {
                "__typename": "LabeledEvent"
              }
            },
            {
              "node": {
                "__typename": "AssignedEvent"
              }
            },
            {
              "node": {
                "__typename": "UnassignedEvent"
              }
            },
            {
              "node": {
                "__typename": "UnassignedEvent"
              }
            },
            {
              "node": {
                "__typename": "AssignedEvent"
              }
            },
            {
              "node": {
                "__typename": "ClosedEvent"
              }
            },
            {
              "node": {
                "__typename": "IssueComment"
              }
            },
            {
              "node": {
                "__typename": "AddedToProjectEvent"
              }
            }
          ]
        }
      }
    }
  }
}

The AddedToProjectEvent is in the respective result set. However, I’m not sure how to reproduce the FORBIDDEN error mentioned in the OP (original post). I’m wondering if you could share an example query or curl -v request for reproducing that behavior so we can take a look and investigate further? :thought_balloon:

HI @francisfuzz,

So, I ran your query and still getting the forbidden error:

[
  {
    "type": "FORBIDDEN",
    "path": [
      "repository",
      "issue",
      "timelineItems",
      "edges",
      13
    ],
    "locations": [
      {
        "line": 7,
        "column": 9
      }
    ],
    "message": "Although you appear to have the correct authorization credentials, the `tensorflow` organization has enabled OAuth App access restrictions, meaning that data access to third-parties is limited. For more information on these restrictions, including how to whitelist this app, visit https://help.github.com/articles/restricting-access-to-your-organization-s-data/"
  }
]

Maybe the problem are related to the permissions of the access token. Currently, I’m using the permissions public_repo read:org read:user on it. Am I missing something?

Thanks for sharing that additional context! The token used to authenticate has the correct scopes attached. However, the tensorflow organization has OAuth app access restrictions enabled. When OAuth App access restrictions are enabled, only applications that are owned by the organization are automatically given access to the organization’s resources. Thus, any other third-party applications must be explicitly approved by an organization owner before it can access any of the organization’s public or private resources. Does this help explain what you’re seeing?

As a next step, I suggest getting in touch with an owner of the tensorflow organization and asking them to approve your OAuth app to access its resources.

Does this help explain what you’re seeing?

Not exactly, because the problem here is all about the AddedToProjectEvent.
For example, when I change this query to the first 13 ones, I don’t have any problems :thinking:

Result set
{
  "issue": {
    "timeline_items": {
      "timeline_items_count": 14,
      "edges": [
        {
          "node": {
            "typename": "AssignedEvent"
          }
        },
        {
          "node": {
            "typename": "LabeledEvent"
          }
        },
        {
          "node": {
            "typename": "LabeledEvent"
          }
        },
        {
          "node": {
            "typename": "IssueComment"
          }
        },
        {
          "node": {
            "typename": "UnassignedEvent"
          }
        },
        {
          "node": {
            "typename": "AssignedEvent"
          }
        },
        {
          "node": {
            "typename": "LabeledEvent"
          }
        },
        {
          "node": {
            "typename": "AssignedEvent"
          }
        },
        {
          "node": {
            "typename": "UnassignedEvent"
          }
        },
        {
          "node": {
            "typename": "UnassignedEvent"
          }
        },
        {
          "node": {
            "typename": "AssignedEvent"
          }
        },
        {
          "node": {
            "typename": "ClosedEvent"
          }
        },
        {
          "node": {
            "typename": "IssueComment"
          }
        }
      ]
    }
  }
}

So, how do I know what kind of resources are protected? Do repositories owners select which ones they want to protect?
Besides that, why are these resources protected from being read from OAuth Apps whereas it can be easily read from other means?

@hsborges: Thanks for following up here. I see where this is confusing and after reading over these details and documentation again, I’d expect that public event to be publicly accessible by all actors regardless of how they authenticate and what scopes are attached to their respective token.

I’d like to look into this with our team and follow up here with an update in two days at the latest. :male_detective:

1 Like