Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Option to not display new comment form #374

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Option to not display new comment form #374

wants to merge 1 commit into from

Conversation

WeixuanZ
Copy link

@WeixuanZ WeixuanZ commented Aug 1, 2020

#355
Added optional argument form to the script tag.

If form=false, the new-comment-component is replaced by a button that links to the issue.
1

If the issue does not exist, an error message is displayed.
2

What it looks like:
3

@weitzman
Copy link

weitzman commented Aug 4, 2020

I would love to use this. Please consider for inclusion.

@CCKNBC
Copy link

CCKNBC commented Aug 13, 2020

good job

@CCKNBC
Copy link

CCKNBC commented Aug 13, 2020

hao can i use it

@jdanyow
Copy link
Member

jdanyow commented Nov 14, 2020

I do not plan to merge this. Enabling any user to create the GitHub issue would mean the first person to comment has control of the whole thread, could edit the issue title, unlinking the issue from the blog post.

@lenscas
Copy link

lenscas commented Dec 26, 2020

I do not plan to merge this. Enabling any user to create the GitHub issue would mean the first person to comment has control of the whole thread, could edit the issue title, unlinking the issue from the blog post.

That is already the case for pages without comments anyway, assuming no issue has been manually setup. (Unless I am missing something?)

How long does it take for an issue to be created? Maybe the "link" to the issue can just create it if it does not exist. Or perhaps whenever someone visits the page, as it already checks anyway?

@BrevitasEU BrevitasEU mentioned this pull request Jan 4, 2021
Closed
@mmt
Copy link

mmt commented Jan 5, 2021

Hi there,

I don't know if this is the best final solution, but the lack of a feature like this is the only thing that would keep me from using utterances.

Am I wrong in my understanding that this project is accumulating the "Act on your behalf" privileges for more and more users? Doesn't that make the App a plum target for an exploit / attack in the future?

If the requested privileges are constrainted only to posting issues to the project using utterances then maybe the real thing that's missing is for the GitHub App authorization page to be more informative (i.e. saying what "Act on your behalf" means in detail).

Maintainers -- thanks for your patience in reading this and your hard work in producing something interesting and useful.

@jdanyow
Copy link
Member

jdanyow commented Jan 5, 2021

@mmt responding to your questions:

Am I wrong in my understanding that this project is accumulating the "Act on your behalf" privileges for more and more users? Doesn't that make the App a plum target for an exploit / attack in the future?

The app doesn't store any user information. No github user ids, no oauth tokens, nothing. When the OAuth token is issued it's encrypted on the Utterances server and sent to the client to be stored in local storage. When the client needs to post a comment it sends along the encrypted token which the Utterances service decrypts, calls the GitHub API, and then discards.

If the requested privileges are constrainted only to posting issues to the project using utterances then maybe the real thing that's missing is for the GitHub App authorization page to be more informative (i.e. saying what "Act on your behalf" means in detail).

The Utterances GitHub App only uses the "issues" permission. Read more about permissions in the github docs. The tldr; is signing into utterances results in a github oauth token that has permissions equivalent to the intersection of what the Utterances app can do (manage issues/comments on repos where it's installed) and what you can do. This essentially limits it to creating issues and posting comments where it's installed. I agree, "Act on your behalf" is pretty vague/scary, all I can do is assure you Utterances requests the least permissions possible and doesn't store your creds/information.

@jdanyow
Copy link
Member

jdanyow commented Jan 5, 2021
edited
Loading

@lenscas

I do not plan to merge this. Enabling any user to create the GitHub issue would mean the first person to comment has control of the whole thread, could edit the issue title, unlinking the issue from the blog post.

That is already the case for pages without comments anyway, assuming no issue has been manually setup. (Unless I am missing something?)

When Utterances needs to create an issue it uses the @utterances-bot account. This ensures the first person to leave a comment doesn't own the whole thread.

@lenscas
Copy link

lenscas commented Jan 5, 2021

@lenscas

I do not plan to merge this. Enabling any user to create the GitHub issue would mean the first person to comment has control of the whole thread, could edit the issue title, unlinking the issue from the blog post.

That is already the case for pages without comments anyway, assuming no issue has been manually setup. (Unless I am missing something?)

When Utterances needs to create an issue it uses the @utterances-bot account. This ensures the first person to leave a comment doesn't own the whole thread.

yes, but right now someone can see that there are no comments, go to the correct repo and make an issue with the correct name.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@WeixuanZ @weitzman @CCKNBC @jdanyow @lenscas @mmt