-
Notifications
You must be signed in to change notification settings - Fork 451
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dashboard: github connect: investigate potential UX improvements #2652
Comments
Thank you for opening this issue so this can be discussed. I personally perceive a security issue with this approach - the security of my business. Point 2 I understand and does not allow new projects to connect to github, so I will focus on point 1 with regards to my comments: "you are the org admin that installed the github app". I am writing these comments from the perspective of the Org Owner. I will call the admin who added the Nhost github app to my Org the "Nhost admin". I see the following security concerns with the current approach:
Proposed short term solutions:
Before proposing long term solutions, a few points:
I propose the following long term solution:
This one security change addresses concerns 1-3 above. Additionally, I propose for consideration:
The reason for this security change is it makes it much easier for the Owner to reason about who has true Admin privileges for a repo and it allows quick demotion of privileges on the Nhost side (which is an important aspect of security). In other words, if the Nhost app were to rely on and trust the Github Admin role to determine privilege to connect to an Nhost project, the Owner can easily revoke that privilege simply by demoting the current Nhost admin in Github. Under the current security policies, to demote the current Nhost admin requires:
Thanks for considering these points. :) |
It is mostly treated on a case by case basis and usually handled quickly to avoid disruption. Re the rest, thanks for the ideas. We will evaluate them and see how to move forward. |
Right now, we have two simple rules to allow users connecting a github repository to a project:
This has some pros (it is simple and effective) and some cons (some users may find it frustrating as they may not understand why they can't connect a repo despite having access to it.
This issue is about investigating potential solutions for the latter without compromising security.
The text was updated successfully, but these errors were encountered: