We've been getting a few questions as to why we're asking for so many permissions when you click the link above using GitHub Classroom.
I'd like to take a moment to explain how they work, why we need to request them from you, and how you can manage your organizations privacy while still using our application.
The link above is using the "Group Assignment" feature, this allows a team of students to work on an assignment together in an organization.
This is the page that is shown after a user accepts the permissions that Classroom requests.
When you click on the the "Join" button here is what happens under the hood.
- Invite you to join the @githubschool organization
- Accept the invitation to join the organization on your behalf so you don't have to respond to an email invitation
- Add you to the Education Community team on GitHub
- Redirect you to a page on Classroom that will give you a link to take you to the designated repository we created for the team
Accepting the organization invitation on your behalf is the reason why we need full organization permissions. Other than that if all you do is accept the invitation link and join the @githubschool organization, we'll never use your token again.
If you're concerned about leaking information about another organization I encourage you to turn on or ask an admin to turn on Third Party Application Restrictions for your organization and reject GitHub Classroom from having access to it.
And as always, if you're interested about the implementation as whole feel free to check out the source code at https://github.com/education/classroom