> “This change removes the “Act on your behalf” note in the consent page if the app is requesting only read permissions against the user account itself.”
I think this blog demonstrates the problem. To a lot of people this is perfectly straightforward. Others might think, “but my GitHub account is where I keep all my private repos.”
When listing access controls, I think most nouns need to very carefully map back to a clear definition, ideally full of examples and bulleted lists of “what this is” and “what this isn’t”
> “This change removes the “Act on your behalf” note in the consent page if the app is requesting only read permissions against the user account itself.”
I think this blog demonstrates the problem. To a lot of people this is perfectly straightforward. Others might think, “but my GitHub account is where I keep all my private repos.”
When listing access controls, I think most nouns need to very carefully map back to a clear definition, ideally full of examples and bulleted lists of “what this is” and “what this isn’t”
You mean, like in the next two sentences? First "what this isn't":
> "If the app is requesting any kind of repository, organization, or enterprise permission (read or write) then the note still appears."
And then "what this is":
> "This allows applications to sign in users and get their profile information and email addresses (if requested) without undue alarm."
This had been an open issue since ~2022:
https://github.com/orgs/community/discussions/37117
Lots of discussion and "this will never get fixed" comments (including from me) but hey...! It did get fixed! :-)