Personal Token:Must have admin rights to repository

[sotiriszegiannis]

I m developing a desktop app that manages github accounts. I use a personal access tokens to retrieve information and update the repositories and issues. I have a couple of cases where as soon as i try to update an issue i get the error "Must have admin rights to repository".However i can retrieve all the repositories and issues but i can't update them. I have asked the github account owner to check all scopes. I m not the owner of the git account i m just using the token to perform the update operation.

Any pointers will really help.

[ryangribble]

👋 Hi @sotiriszegiannis

The permissions for the actual access token look quite broad, but it would then still depend on what permission the user has on the repo in question, and what exactly you are trying to update.

Can you provide more details on what you are doing (a code sample would be great)?

Thanks

[sotiriszegiannis]

Hi @ryangribble
your comment pointed me in the right direction and i solved my issue. Here 's a brief description of the issue:There was an organization git account with many repos and personal accounts. One of the personal accounts was the token issuer that i was using to access the and update the issues. More specifically i was trying to edit the description of the organizational account's issues, through the personal account's token. Although the personal account had almost all scopes checked, the permissions for the organizational's repos were all read only! So even though i could edit and update any issues that i was creating through the personal account's token i couldn't edit existing issues from the organization. We had a couple of solutions around this.
1.One of them was to change the role of the personal account inside the organization.

but that was rejected since it gave great control to the account and that was not desired from the organization's part. I can't blame them!
2.The other solution was to change the repository's default default member permissions.

That was rejected too because that would give all the collaborators the power to edit issues except from the personal account whose token i was using.

So because non of the above solution was secure proof a third suggestion was put on the table. For each repo ,that the personal account i was using needed write access, would change the default repo permission for my account.

Now i had already thought about that and for me that would be the best scenario too, but the thing is that there are more than 1400 repos that my account would need write access. That means that unless we do it through the git api, some pure fellow will have to go inside each and every repo and change permissions! We still haven't decided. For the time being it seems that the lazy fellows in the the organization just decided to change the account's role from member to owner. To be continued....

[IEvangelist]

Hey, this issue hasn't seen any attention in a long time. I'm curious, how would this work for standard
GitHub accounts? I am trying to update an issue from the SDK and it's not working. I'm using an API Token as well and I assume it's related to this... please help.

[shiftkey]

@IEvangelist It Depends™ on what you're trying to do with the token. And while the user thought they had set all the right permissions, this bit is important to keep in mind:

Although the personal account had almost all scopes checked, the permissions for the organizational's repos were all read only!

Knowing what you're allowed to do within an organization (check the permissions your team has) will likely help to diagnose your issue.

[IEvangelist]

I'm the repo's owner, regardless of organizations -- why would that matter? Here is an issue I filed, but I believe it's still somehow related to the API token. I own the repo, and created an API token to interact with the repo. Why does organization have anything to do with my own repo?

Does simply being a part of an organization mean that my own repos are subject to their restrictions? That wouldn't make any sense at all. The repo is mine, I created it and it is does not belong to those organizations -- right? What am I missing here?

[shiftkey]

Does simply being a part of an organization mean that my own repos are subject to their restrictions?

These are maintained separately, so you shouldn't impacted. The previous user had to deal with this headache.

The repo is mine, I created it and it is does not belong to those organizations -- right? What am I missing here?

If we're focused on repositories under your user account, I'd also confirm that you've set repo scope (if you're updating a private repository) or public_repo (if you're updating a public repository) on the token.

[50kudos]

I had the same (original) issue but with OAuth App (so it might not be that original).

It's true as above comment said; organization access scope is maintained separately. So when you are a repository owner in an organization (even is also an org owner), your own personal token can't get into organization access scope until granted. You have to grant yourself.

[shiftkey]

@50kudos thanks for the reminder about OAuth app access restrictions for organizations - that's definitely something I've seen users have problems with in the past...

[daemenseth]

I have the issue

"message": "You need admin access to the team before adding a repository to it.",

When I crate a repo. How can I solve that

[shiftkey]

@daemenseth that error indicates your user is not an administrator of the team. That's not something changing the token can address.

[shiftkey]

I'm going to close this out because it's not clear what work needs to be done in Octokit.net to improve this area. Please open a fresh issue if you have ideas.