Default repository permissions for classroom organization

(Jacob Fiksel) #1

Hi all,

I’ve made an organization for my GitHub Classsoom, and would like to ensure that I have the appropriate default repository permissions for my students. I’ve noticed that if the default repository permissions are read, then students can view other students’ assignment repositories, even if you use the private setting. This seems a bit silly to me, as the point of private repositories is to prevent this sort of thing. If I change it to none, then it gets rid of this problem. However, I would like to have a private repository with classroom information (lectures, syllabus, etc…) inside of the organization. Setting organization default repository permission to none makes it so I have to invite each student within the organization separately to this repository. This is not a problem with a small class, but once you get into the 30 student range then it becomes quite annoying, especially since you have to type the username of each student.

Is there a recommended workaround for this as of now? I think the ultimate goal should be that students should only be able to view their own private assignments, no matter what the default read permissions are. I think this also highlights the need for GitHub Classroom to either be more closely integrated with GitHub Organizations, or build their own version of an organization.


(Readoc) #2

I cannot help with this question, but wanted to know I was searching for the same answer.

I’ve used GitHub for semester projects and didn’t mind all the students see code in the private repositories, but this is my first attempt using GitHub Classroom.

With two sections of 80+ students total I’d rather not add each by hand.

Perhaps someone has a script written to do this already?

(Dan Wallach) #3

So far as I can tell, the easiest way to do this, without writing external scripts and whatnot, is to have your “instructor-only” stuff outside of the GitHub “project” where all your students live. Then, you make all your TAs/labbies be “owners” of the class “project”, and the students can then have exclusive repos while the labbies and TAs can see everything.

I don’t think students need to be members of the “project” but I’m not 100% sure about that, at least not when they’re working solo.

(Jacob Fiksel) #4

@danwallach I’m not really sure what you mean by “project”–are you taking about the private repo that I would like everyone in the organization to see? I don’t want this repo to be instructor only. I do have a separate “master” organization where I keep starter code and such, but that’s separate from this issue. I would also not like to assign this repo as an assignment, since that would mean each student would have their own copy, and that makes it near impossible to update for each student.

(Dan Wallach) #5

Ahh, sorry. By “project”, I mean something like “”, which is where all my student repos go, via GitHub Classroom, versus “” (or equivalent), which is where I have things I don’t want my graders to see, which includes my slides, my plagiarism writeups for the university’s Honor Council, etc.

Basically, within my RiceComp215 project, my graders are all “owners”, which means they can see everything there. Elsewhere, they’re not, so I can more easily do access controls.

Likewise, if you want your students to all see things, you can make them members of your class “project” (again, e.g., “RiceComp215”) or just make them all a “team” where that team has read-access to whatever shared repo you want.

The hard part is pushing changes out to the students. I guess you could script things up to push changes to each and every student repo, but they’ll have to pull from the repo to get your changes, and if they continue onward without that pull, you’ll have merge conflicts to explain. I’m just crossing my fingers and hoping I never have to do this.

(Jacob Fiksel) #6

Got it. Just to clarify, my question is dealing with students who are organization members and what they actually can see. If they the default repository permission is read, then they can see other students’ private repos (their assignment repos), which means they’re seeing too much. If the default repository permission is none, then they can’t see the shared repo, which means they’re seeing too little.

I think your suggestion about the team makes the most sense. I guess my question then becomes what’s the most automated (least effort for me) way to add students to a team. My current thought is to create a team called Students after you’ve created the class organization and grant access to the shared private repo to the students team. I believe that you can have students request access to this team, rather than me having to manually enter in their usernames.

(Dan Wallach) #7

I’m sure you could cobble something like that together with the GitHub API. Since you’d basically run it once, it might not be worth the bother. I’m currently about 80% done with a program that automatically activates Travis-CI on each student’s repository, since I don’t want to have to flip 160 switches each week. It’s mostly done, but I hit some dumb API limit on Travis-CI, and won’t be able to get it tested until that limit goes away. Sigh.

(Mark Tareshawty) #8

I’ve noticed that if the default repository permissions are read, then students can view other students’ assignment repositories, even if you use the private setting.

@jfiksel when we add an GitHub organization as a GitHub Classroom we do in fact set the default permissions to none:

If you’re not seeing this behavior then there may be a bug somewhere.

As for being able to selectively show content your best option like state above is to have a large students team and give them access to the repository.

ATM we don’t do that in Classroom but I think that would be interesting to look into.

(Jacob Fiksel) #9

Thanks @tarebyte! I honestly can’t remember if I changed the read permission to none before or after giving access to GitHub Classroom. However, I distinctly remember a previous class having this problem after giving access to Classroom (this was in January though).

One thing that could be cool for classroom is that after giving access to Classroom, all members (not owners) are automatically part of of Student team. Anything that Classroom can do to reduce the administration of the class would be helpful. For example, if students accept an assignment before becoming members of the organization, they become Outside Collaborators. We then have to click through, one-by-one, and make them members of the organization. For teams, we either have to individually invite each student to a team, or accept each student’s request to join a team. Maybe this isn’t the right place to put this, so let me know if you would like me to write these comments elsewhere.

(Mark Tareshawty) #10

@jfiksel would you mind opening an issue with this suggestion and context?


(Geoff Schmit) #11

I have the default permission for my organization set to none. For the repository, with class notes, in that organization that I want all students to access, I made that repository public. Students are not added as part of the organization but can still view that repository, along with anyone else.

I’m not sure if this would accomplish what you want since I’m not sure if you want the repository private or public.

(Vanessa) #12

ohai @jfiksel please :open_file_folder: :white_check_mark: :sparkles: