GitHub team members (as opposed to admins/owners) don't have sufficient github permissions to add that team on crates.io

[kornelski]

I'm a member (but not admin/owner) of github:mozilla:mozjpeg. I'm unable to add the team as a crate owner:

cargo owner --add github:mozilla:mozjpeg

It looks like you don't have permission to query a necessary property from Github to complete this request. You may need to re-authenticate on crates.io to grant permission to read github org memberships. Just go to https://crates.io/login

The link doesn't help (I've tried logging out and back again), because I don't have ability to grant crates.io access to the GitHub org private data:

This limits ability to add crates to admins/owners of GitHub teams. I'm not sure if it's a bug or a feature :)

[sgrif]

I'd be interested to see the commit which introduced the permissions check to see what the intent there was. I'd find the commit myself, but #1287 has made that pretty time consuming to do

[jtgeibel]

I'm not quite sure what is going on here. The particular error is because the github api is returning a 401 or 403 response, but I'm not sure which of the multiple api requests involved is causing the problem.

The following are all from src/models/team.rs:

• format!("/orgs/{}/teams?per_page=100", org_name)
• format!("/orgs/{}", org_name)
• format!("/teams/{}/memberships/{}", &github_id, &user.gh_login)

The following worked fine for me, and I'm in a similar situation where I am a member of the team but have no additional rights at the team or org level.

cargo owner --add github:rust-lang:crates-io-pushers
    Updating registry `https://github.com/rust-lang/crates.io-index`
       Owner team github:rust-lang:crates-io-pushers has been added as an owner of crate civet

My best guess at the moment is that either the mozilla org or mozjpeg team is more locked down and is denying one (or more) of the api requests.

[jtgeibel]

A few other data points. If I'm logged out of github, the following URLs ask me to sign in:

• http://github.com/orgs/rust-lang/teams
• http://github.com/orgs/mozilla/teams

If I'm signed in, the first URL works for me (as I'm a member of a team there), but the mozilla one redirects me and notifies me that "You’re not a member of any teams in this organization."

Therefore, it seems that team membership is part of the "organization's private data" and that the mozilla org is blocking access to this information as noted in the hover text in your screenshot.

We're only requesting the "read:org" scope from GitHub, so I don't think there is anything we can do on the crates.io end to better support this.

I believe this help page describes a way to request that the org admins grant our app access to this data.

[kornelski]

GitHub is odd indeed. I get the same notice about not being a member, despite being listed as a member!

[carols10cents]

We're only requesting the "read:org" scope from GitHub, so I don't think there is anything we can do on the crates.io end to better support this.

Yeah, I don't think we can change how GitHub works; the best we could do here is change the error message to suggest asking your github org administrator to change the permissions in github (or add the team to the crate for you)

[daxpedda]

From what I'm reading here it should be possible to modify owners as a team member, or did I get this wrong?

So my setup is the following:

• I'm a member of team which has been added to the crate.
• The team visibility is public, not secret.
• Under my own "Authorized OAuth Apps", "crates.io" has access to the organization.
• Under the organizations "Third-party application access policy", "crates.io" has been approved.

However if I try to add a team to owners of the create, I get "(status 403 Forbidden): team members don't have permission to modify owners".