Checking user authorization for repos is important for services that integrate with GitHub. I’ve used it in CommitCheck and may need to implement it in PRScheduler too.

I needed authorization for CommitCheck’s status page. When a user visits a status page url, It should check that the user actually has repo access. To do that, I used GitHub’s permissions API.


At first I tried getting all the user’s data from GitHub and parsing their repos. I thought this was the best way to handle authorization, but the right way is to use the permission API:

For example, I can check the permissions of tomkadwill for atom-rails, with:

Here’s the response object:


Inside the response body there are two top level keys: permission and user. If you’re trying to check user permissions, all you care about is the permission field.

Here’s how I implemented the permission API in CommitCheck (using Ruby):

REPO_MEMBER_PERMISSIONS = %w[admin write read].freeze

def requested_repo

def repo_permission_url

def status_request_headers
    'Content-Type' => 'application/json',
    'Accept' => 'application/vnd.github.machine-man-preview+json',
    'Authorization' => "Bearer #{current_user.oauth_token}"

def check_authorization
  uri = URI(repo_permission_url)
  req =, status_request_headers)
  res = Net::HTTP.start(uri.hostname, uri.port, use_ssl: uri.scheme == 'https') do |http|


requested_repo, repo_permission_url and status_request_headers build up the request url and headers. check_authorization calls the API to check whether the user has 'read', 'write', 'admin' or nil permissions.

For this particular use case I don’t need to differentiate between ‘read’, ‘write’ or ‘admin’. But if you do then you can change the logic to check for a specific permission type.