authz: remove provider-based perms sync for user code host connections (!23900) · Merge requests · Warren Gifford / sourcegraph

Warren Gifford requested to merge jc/user-code-host-perms-sync into main Aug 13, 2021

Created by: unknwon

Remove provider-based repo permissions syncing for user code host connections is necessary to ensure users would only see private repositories they've explicitly added at 100% of time, that is because sometimes provider-based permissions syncing could succeed when the user itself has write access to the private repositories that are being added, we would be able to get results back from GitHub API (we're using OAuth token from user-added code host connection, which should have the max access-level the user has).

The unwanted side effect is that, if any of user-accessible private repository happens to be added by others, but the user self hasn't explicitly added, that private repository will show up in search results.

Please review with hide whitespace changes

authz: remove provider-based perms sync for user code host connections

Merge request reports