Help
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Copilot Lvl 2
Message 1 of 2

Why are some permissionSources empty?

Solved! Go to Solution.

I am using the graphql api to query RepositoryCollaboratorEdge objects to see who has access to my repo and how.

 

But I am noticing that some users with permissions have nothing in the permissionSources. (To be clear, I am seeing organizations, teams and repostiory objects returning in the same query for other repos/collaborators.)

 

For example. This query:

query {
	viewer {
		repositories ( first:1 affiliations:[OWNER, ORGANIZATION_MEMBER], ownerAffiliations:[OWNER, ORGANIZATION_MEMBER] ){
			totalCount
			pageInfo {
				endCursor
				hasNextPage 
			}
			nodes { 
				name
				nameWithOwner
				
				collaborators (	first:1 ) {
					totalCount
					pageInfo {
						endCursor
						hasNextPage 
					}
					edges {
						node { login }
						permission
						permissionSources {
							permission
							source { 
								... on Organization { websiteUrl id name }
								... on Repository { homepageUrl id name nameWithOwner }
								... on Team { editTeamUrl id name combinedSlug } 
							}	
						}						
					}
				}
			}
		}
	}
}

 

Has some results for collaborators that are looking like this snippet:

 

                        "collaborators": {
                            "totalCount": 103,
                            "pageInfo": {
                                "endCursor": "Y3Vyc29yOnYyOpHNA8E=",
                                "hasNextPage": true
                            },
                            "edges": [
                                {
                                    "permission": "WRITE",
                                    "permissionSources": []
                                },
                                {
                                    "permission": "ADMIN",
                                    "permissionSources": []
                                },

 

So my questions is: What might cause these permission sources arrays to be empty?

 

Maybe this is an issue with the permission levels of the caller? But it seems strange to me that I should be able to see the collaborators and there permission at all if i can't see the permissionSources.  Or perhaps there is another way to become a collaborator beyond organization membership, team membership or direct repo assignment? I'm also noticing that this appears to be happening to repos as a whole so maybe there is something there as well?

 

1 Reply
Solution
Community Manager
Message 2 of 2

Re: Why are some permissionSources empty?

Hi @fei0x,

 

Thanks for reaching out! If the token you are using doesn't have the correct (admin:org) scope, the GraphQL API will return a message saying so. If the token has this scope, but the user isn't an admin on the organization, nothing is returned, only a blank array.

 

I suspect that this information requires a user to be an organization administrator because this is the only way to find out this information in the web interface as well. Having this information available to every user through the API may be deemed a security risk.

 

I haven't done exhaustive testing, but it looks like a GitHub App will need metadata permission to find out information on collaborators. This gives the same information as the permissionSources endpoint.

 

I hope this helps!


Best,
AndreaG

Mark helpful posts with Accept as Solution to help other users locate important info. Don't forget to give Kudos for great content!