-
Notifications
You must be signed in to change notification settings - Fork 574
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Option to not display new comment form #374
base: master
Are you sure you want to change the base?
Conversation
I would love to use this. Please consider for inclusion. |
good job |
hao can i use it |
I do not plan to merge this. Enabling any user to create the GitHub issue would mean the first person to comment has control of the whole thread, could edit the issue title, unlinking the issue from the blog post. |
That is already the case for pages without comments anyway, assuming no issue has been manually setup. (Unless I am missing something?) How long does it take for an issue to be created? Maybe the "link" to the issue can just create it if it does not exist. Or perhaps whenever someone visits the page, as it already checks anyway? |
Hi there, I don't know if this is the best final solution, but the lack of a feature like this is the only thing that would keep me from using utterances. Am I wrong in my understanding that this project is accumulating the "Act on your behalf" privileges for more and more users? Doesn't that make the App a plum target for an exploit / attack in the future? If the requested privileges are constrainted only to posting issues to the project using utterances then maybe the real thing that's missing is for the GitHub App authorization page to be more informative (i.e. saying what "Act on your behalf" means in detail). Maintainers -- thanks for your patience in reading this and your hard work in producing something interesting and useful. |
@mmt responding to your questions:
The app doesn't store any user information. No github user ids, no oauth tokens, nothing. When the OAuth token is issued it's encrypted on the Utterances server and sent to the client to be stored in local storage. When the client needs to post a comment it sends along the encrypted token which the Utterances service decrypts, calls the GitHub API, and then discards.
The Utterances GitHub App only uses the "issues" permission. Read more about permissions in the github docs. The tldr; is signing into utterances results in a github oauth token that has permissions equivalent to the intersection of what the Utterances app can do (manage issues/comments on repos where it's installed) and what you can do. This essentially limits it to creating issues and posting comments where it's installed. I agree, "Act on your behalf" is pretty vague/scary, all I can do is assure you Utterances requests the least permissions possible and doesn't store your creds/information. |
When Utterances needs to create an issue it uses the @utterances-bot account. This ensures the first person to leave a comment doesn't own the whole thread. |
yes, but right now someone can see that there are no comments, go to the correct repo and make an issue with the correct name. |
#355
Added optional argument
form
to thescript
tag.If
form=false
, thenew-comment-component
is replaced by a button that links to the issue.If the issue does not exist, an error message is displayed.
What it looks like: