8000 [BUG]: Team Membership API calls fail with Octokit high-level methods but work with direct requests · Issue #510 · octokit/rest.js · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

[BUG]: Team Membership API calls fail with Octokit high-level methods but work with direct requests #510

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
1 task done
tillka opened this issue May 6, 2025 · 2 comments
Closed
1 task done

[BUG]: Team Membership API calls fail with Octokit high-level methods but work with direct requests #510

tillka opened this issue May 6, 2025 · 2 comments
Labels
Status: Triage This is being looked at and prioritized Type: Bug Something isn't working as documented

Comments

@tillka
Copy link
tillka commented May 6, 2025

What happened?

Summary

When using Octokit's high-level methods (specifically., octokit.teams.addOrUpdateMembershipForUserInOrg()), I consistently receive a 403 permission error despite having organization owner permissions. However, identical requests using curl or octokit.request() work perfectly.

Steps to Reproduce

  • Use Octokit v21.0.0 with a valid GitHub token with organization owner permissions
  • Attempt to add a user (from outside of my org) to a (visible) team using the high-level method:

await octokit.teams.addOrUpdateMembershipForUserInOrg({ org: 'OrganizationName', team_slug: 'team-name', username: 'github-username', role: 'member' })

This should be possible according to the docs: https://octokit.github.io/rest.js/v21/#teams-add-or-update-membership-for-user-in-org

I can confirm that

  • I am the org owner,
  • I am the team maintainer,
  • that my personal access token works - so it has the right permissions,
  • my app is using the correct token in dev & prod,
  • the team is visible (not secret)

Error Message

[HttpError]: You must be an organization owner or team maintainer to add a team membership. - https://docs.github.com/rest/teams/members#add-or-update-team-membership-for-a-user status: 403

Expected Behavior

The high-level method should successfully add the user to the team, just like the following working alternatives do:

Working direct API call with curl:

curl -X PUT \ -H "Authorization: token GITHUB_TOKEN" \ -H "Accept: application/vnd.github.v3+json" \ -d '{"role":"member"}' \ https://api.github.com/orgs/OrganizationName/teams/team-name/memberships/github-username

Working request with Octokit's request method:

await octokit.request('PUT /orgs/{org}/teams/{team_slug}/memberships/{username}', { org: 'OrganizationName', team_slug: 'team-name', username: 'github-username', role: 'member', headers: { 'X-GitHub-Api-Version': '2022-11-28' } })

Versions

Octokit version: 21.0.0
Octokit core: 6.1.2
Node: 20.18.3
Os: Linux

Relevant log output

PUT /orgs/REDACTED/teams/REDACTED/memberships/REDACTED - 403 with id CE5C:10F0A6:3B1AD3:76B6B2:681A028D in 100ms
[HttpError]: You must be an organization owner or team maintainer to add a team membership. - https://docs.github.com/rest/teams/members#add-or-update-team-membership-for-a-user
    [REDACTED some internal error codes]{
  status: 403,
  request: {
    method: 'PUT',
    url: 'https://api.github.com/orgs/REDACTED/teams/REDACTED/memberships/REDACTED',
    headers: {
      accept: 'application/vnd.github.v3+json',
      'user-agent': 'octokit-rest.js/21.0.0 octokit-core.js/6.1.2 Node.js/20.18.3 (linux; x64)',
      authorization: 'token [REDACTED]',
      'content-type': 'application/json; charset=utf-8'
    },
    body: '{"role":"member"}',
    request: { hook: [Function: bound bound s] }
  },
  response: {
    url: 'https://api.github.com/orgs/REDACTED/teams/REDACTED/memberships/REDACTED',
    status: 403,
    headers: {
      'access-control-allow-origin': '*',
      'access-control-expose-headers': 'ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset',
      'content-encoding': 'gzip',
      'content-security-policy': "default-src 'none'",
      'content-type': 'application/json; charset=utf-8',
      date: 'Tue, 06 May 2025 12:37:33 GMT',
      'github-authentication-token-expiration': '2025-12-20 09:33:12 +0100',
      'referrer-policy': 'origin-when-cross-origin, strict-origin-when-cross-origin',
      server: 'github.com',
      'strict-transport-security': 'max-age=31536000; includeSubdomains; preload',
      'transfer-encoding': 'chunked',
      vary: 'Accept-Encoding, Accept, X-Requested-With',
      'x-accepted-github-permissions': 'members=write',
      'x-content-type-options': 'nosniff',
      'x-frame-options': 'deny',
      'x-github-api-version-selected': '2022-11-28',
      'x-github-media-type': 'github.v3; format=json',
      'x-github-request-id': 'CE5C:10F0A6:3B1AD3:76B6B2:681A028D',
      'x-ratelimit-limit': '5000',
      'x-ratelimit-remaining': '4999',
      'x-ratelimit-reset': '1746538653',
      'x-ratelimit-resource': 'core',
      'x-ratelimit-used': '1',
      'x-xss-protection': '0'
    },
    data: {
      message: 'You must be an organization owner or team maintainer to add a team membership.',
      documentation_url: 'https://docs.github.com/rest/teams/members#add-or-update-team-membership-for-a-user',
      status: '403'
    }
  }
}

Code of Conduct

  • I agree to follow this project's Code of Conduct
@tillka tillka added Type: Bug Something isn't working as documented Status: Triage This is being looked at and prioritized labels May 6, 2025
@github-actions GitHub Actions
Copy link
Contributor
github-actions bot commented May 6, 2025

👋 Hi! Thank you for this contribution! Just to let you know, our GitHub SDK team does a round of issue and PR reviews twice a week, every Monday and Friday! We have a process in place for prioritizing and responding to your input. Because you are a part of this community please feel free to comment, add to, or pick up any issues/PRs that are labeled with Status: Up for grabs. You & others like you are the reason all of this wor 8000 ks! So thank you & happy coding! 🚀

@github-project-automation github-project-automation bot moved this to 🆕 Triage in 🧰 Octokit Active May 6, 2025
@tillka
Copy link
Author
tillka commented May 19, 2025

I found the issue to be that my personal account was the "resource owner" of the access token. As I, using github.com, had access to the organization, I assumed this would be true for the access token. But apparently, the organization must be the "resource owner".

From my pov, it is a bit misleading that I cannot create access tokens from within the org for the org but only from within my personal account for the org by choosing the org as resource owner.

Either, my personal token should also have access to orgs that I also have access to OR I should be able to create tokens within the org, applicable for the org.

@tillka tillka closed this as completed May 19, 2025
@github-project-automation github-project-automation bot moved this from 🆕 Triage to ✅ Done in 🧰 Octokit Active May 19, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Status: Triage This is being looked at and prioritized Type: Bug Something isn't working as documented
Projects
🧰 Octokit Active
Status: ✅ Done
Milestone
No milestone
Development

No branches or pull requests
1 participant
@tillka
0