From 7dc11c02aa0e7d56003527d3b871c0dfce410059 Mon Sep 17 00:00:00 2001
From: Kay0u <pierre@kayou.io>
Date: Wed, 20 Jan 2021 15:07:44 +0100
Subject: [PATCH 1/2] fix check if user is member of the YunoHost-Apps

---
 run.py | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/run.py b/run.py
index 2699aa7..f0bc95f 100644
--- a/run.py
+++ b/run.py
@@ -1030,9 +1030,17 @@ async def github(request):
         # Nothing to do but success anyway (204 = No content)
         abort(204, "Nothing to do")
 
-    # We only accept this from people which are member/owner of the org/repo
-    # https://docs.github.com/en/free-pro-team@latest/graphql/reference/enums#commentauthorassociation
-    if hook_infos["comment"]["author_association"] not in ["MEMBER", "OWNER", "COLLABORATOR", "CONTRIBUTOR"]:
+    # We only accept this from people which are member of the org
+    # https://docs.github.com/en/rest/reference/orgs#check-organization-membership-for-a-user
+    # We need a token an we can't rely on "author_association" because sometimes, users are members in Private,
+    # which is not represented in the original webhook
+    async def is_user_in_organization(user):
+        token = open("./github_bot_token").read().strip()
+        async with aiohttp.ClientSession(headers={"Authorization": f"token {token}"}) as session:
+            await resp = session.get(f"https://api.github.com/orgs/YunoHost-Apps/members/{user}")
+            return resp.status == 204
+
+    if not await is_user_in_organization(hook_infos["comment"]["user"]["login"]):
         # Unauthorized
         abort(403, "Unauthorized")
 

From 17fa0fea3ef7bf2136bca9a2d19b3a0d7d96f854 Mon Sep 17 00:00:00 2001
From: Alexandre Aubin <alex.aubin@mailoo.org>
Date: Wed, 20 Jan 2021 15:12:07 +0100
Subject: [PATCH 2/2] Accept header to explicly use github api v3

Co-authored-by: Kayou <pierre@kayou.io>
---
 run.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/run.py b/run.py
index f0bc95f..6ad7189 100644
--- a/run.py
+++ b/run.py
@@ -1036,7 +1036,7 @@ async def github(request):
     # which is not represented in the original webhook
     async def is_user_in_organization(user):
         token = open("./github_bot_token").read().strip()
-        async with aiohttp.ClientSession(headers={"Authorization": f"token {token}"}) as session:
+        async with aiohttp.ClientSession(headers={"Authorization": f"token {token}", "Accept": "application/vnd.github.v3+json"}) as session:
             await resp = session.get(f"https://api.github.com/orgs/YunoHost-Apps/members/{user}")
             return resp.status == 204