Document connected account permissions #6172
Conversation
|
Should we talk about the GitLab Event we are accessing (e.g: readthedocs.org/readthedocs/oauth/services/gitlab.py Lines 261 to 267 in e50345c |
|
@saadmk11 webhooks are part of the API. That is only the list of events we subscribe when creating the webhook (that list of events are in this same page if I remember correctly). |
There was a problem hiding this comment.
There is a meta question of whether this is the right place for this information.
I think it is 👍
we should link to this from the login and signup screens so users are prepared for permission prompts.
I think this is a good idea. We should put this on https://readthedocs.org/accounts/social/connections/ too.
|
If we're good with this change, let's go forward with it. Once this has "been released" an is available in the stable version, we'll add those links to it. |
There was a problem hiding this comment.
It's good to have this explicitly stated, there have been questions here in the past. Mostly from commercial accounts wondering why we require admin repo permissions. Hopefully the move to a GitHub App, instead of the OAuth app, will give us more permission granularity and we can avoid asking for admin access.
| However, we do need permissions for authorizing your account | ||
| so that you can login to Read the Docs with your connected account credentials | ||
| and to setup :doc:`webhooks` | ||
| which allow us to build your documentation on every change to your repository. |
There was a problem hiding this comment.
Unfortunately, the commercial side does ask for admin (and therefore write) permissions, as this is the lowest granularity that GitHub has/had in order to add private ssh keys. Moving to a GitHub App instead does probably give us finer permission control, if i remember correctly.
This is a documentation only pull request that just documents why we ask for the permissions from GitHub, Bitbucket, and GitLab. We've had a few questions about this in the past.
There is a meta question of whether this is the right place for this information. Another question is whether we should link to this from the login and signup screens so users are prepared for permission prompts.