Why are some permissionSources empty? #24829
-
I am using the graphql api to query RepositoryCollaboratorEdge objects to see who has access to my repo and how. But I am noticing that some users with permissions have nothing in the permissionSources. (To be clear, I am seeing organizations, teams and repostiory objects returning in the same query for other repos/collaborators.) For example. This query:
Has some results for collaborators that are looking like this snippet:
So my questions is: What might cause these permission sources arrays to be empty? Maybe this is an issue with the permission levels of the caller? But it seems strange to me that I should be able to see the collaborators and there permission at all if i can’t see the permissionSources. Or perhaps there is another way to become a collaborator beyond organization membership, team membership or direct repo assignment? I’m also noticing that this appears to be happening to repos as a whole so maybe there is something there as well? |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 2 replies
-
Hi @fei0x, Thanks for reaching out! If the token you are using doesn’t have the correct ( I suspect that this information requires a user to be an organization administrator because this is the only way to find out this information in the web interface as well. Having this information available to every user through the API may be deemed a security risk. I haven’t done exhaustive testing, but it looks like a GitHub App will need metadata permission to find out information on collaborators. This gives the same information as the I hope this helps! |
Beta Was this translation helpful? Give feedback.
-
I am an admin and I have given NOTE: giving |
Beta Was this translation helpful? Give feedback.
Hi @fei0x,
Thanks for reaching out! If the token you are using doesn’t have the correct (
admin:org
) scope, the GraphQL API will return a message saying so. If the token has this scope, but the user isn’t an admin on the organization, nothing is returned, only a blank array.I suspect that this information requires a user to be an organization administrator because this is the only way to find out this information in the web interface as well. Having this information available to every user through the API may be deemed a security risk.
I haven’t done exhaustive testing, but it looks like a GitHub App will need metadata permission to find out information on collaborators. This gives the sa…