!WARNING! Permissions Just Changed for Orgs

I don’t know how long ago this happened, but apparently, new members signing up for assignments began no longer being added as external collaborators to the repos created for them, but added as members of the organization. If, like me, you stored your course’s private repos, templates, marking infrastructure, etc in the same organization, then the students now have access.

I’m truly hoping this is a one-off issue with my classroom, but for any instructor out there storing private code in their classroom org (with the expectation that only teaching staff has access), please take a second look at the access rights across the board.

For me all students became members when they accepted a group assignment because they were added to a team, but the default member permissions were “None” which does not allow them to see private repos, unless the private repo is associated with their team and has additional permissions. You can check the default member permissions here: https://github.com/organizations/YOUR_ORGANIZATION/settings/member_privileges.

e.g., here’s what I see on a private repo in my org:

Notice that for me the “Base Role” is “None” while yours is “Read”. Can that be changed for you?


Just a bit of clarification. Like @goodmami mentioned below this is only for group assignments because of the way they were initially built due to some access/permissions issues. Definitely understand the underlying issue still stands for you, but didn’t want you to think it was an overarching change or anything like that. :smiley_cat:

When I tested the inividual / group assignments pre-course, it seemed to use the same access permissions – only manually added users are members (instructors+TAs), and students are pulled into repos via external collaborators. Is there no cross-check of org permissions when adding it to a classroom?

I’ve since locked everything down and removed the admin repos from the org entirely, but there’s a chance about 100+ students had access to everything used to create/mark half of the course’ assessment.

The behavior that haz describes appears extremely problematic. I created homeworks and exams in the same organization where the students get their group assignments.
Can Github please immediately confirm that what haz is suggesting is true or not, and if yes I can only say that is disastrous and for my course.
Please send me private reply to my account - I do not check this site often.

I’m seeing the same screenshot that @goodmami shows, so no problems here, and that includes a private repo I created in my organization 5 days ago. I agree that all of my students are members of the organization, but they’re not seeing private repos that their team has not been added to (as far as I can tell from that Manage Access) screen.

It’s all about the default behaviour. I seem to recall group signups using the same process as individual assignments (so outside collaboration instead of membership), which gave a natural partition of instructor (owner), TA staff (member), and student (outside collab). I can’t remember for certain, but I thought I tested this pre-semester.

Either way, the default permissions on an org is for members to have access to all the repositories. You can go to the organization settings to re-arrange all of this, but there was no warning when I went through the process.

@zkostic : The place to go is https://github.com/organizations/<your-org>/settings/member_privileges