Hi! I have a question about GitHub OAuth scopes that is causing some confusion.
I’m making a PUT request to the /orgs/{org}/memberships/{username} endpoint.
curl -X PUT 'https://api.github.com/orgs/{org_name}/memberships/{username}' \
-H 'Authorization: token {token_here_removed}' \
-H 'Content-Type: application/json'
I am the owner of the org I am making the request for. And it’s returning successfully, but what is confusing to me is that I am able to successfully make the request with my current scopes at all. I thought it would fail.
The X-OAuth-Scopes header in the response is:
delete_repo, gist, read:org, repo, user, write:public_key, write:repo_hook
I thought I would need write:org or admin:org to take this action.
Looking at the X-Accepted-OAuth-Scopes header, I see it is:
admin:org, repo.
The only thing I can think of is that the repo scope allows this action. Also, for the scopes listed in the X-Accepted-OAuth-Scopes header, is it admin:org AND repo or admin:org OR repo?
Basically, how is this possibly working?
Thank you!