Skip to content

Conversation

@ossamalafhel
Copy link
Contributor

@ossamalafhel ossamalafhel commented Sep 14, 2025

Changed GitHub API endpoint from /users/{username}/orgs to /user/orgs to retrieve all organizations for the authenticated user.

Problem

The /users/{username}/orgs endpoint only returns organizations where the user's membership is public, causing 403 errors for users with private organization membership when
trying to publish.

Solution

Using /user/orgs returns all organizations (public and private) for the authenticated user, allowing them to publish to any organization they belong to.

Impact

  • Users can publish to all their organizations without changing visibility
  • Maintains existing security model (same auth token required)
  • Resolves 403 permission errors reported in issue Not able to publish Server from Github Org #398
  • Added test to ensure correct endpoint usage

This PR fixes the organization publishing permissions issue by using the correct GitHub API endpoint that returns all organizations, not just public ones.

Motivation and Context

Multiple users reported being unable to publish servers to their organizations despite being members. This was causing frustration and blocking legitimate use cases where
organization membership is kept private for security or privacy reasons. See issue #398 for the original bug report.

How Has This Been Tested?

  • Added unit test TestGitHubHandler_UsesUserOrgsEndpoint that verifies:
    • The /user/orgs endpoint is called (not /users/{username}/orgs)
    • Private organizations are included in the response
    • Permissions are correctly generated for all organizations
  • All existing auth tests continue to pass
  • Manually verified the endpoint change follows GitHub API documentation

Breaking Changes

None. This is a backwards-compatible fix that expands access to include private organizations.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update

Checklist

  • I have read the MCP Documentation

  • My code follows the repository's style guidelines

  • New and existing tests pass locally

  • I have added appropriate error handling

  • I have added or updated documentation as needed

    Additional context

    The GitHub API documentation confirms that /user/orgs is the correct endpoint for retrieving all organizations of the authenticated user. This change aligns with GitHub's
    recommended practices for OAuth applications.

@ossamalafhel ossamalafhel force-pushed the feature/fix-org-publishing-permissions branch 3 times, most recently from 9d2074f to bcf9578 Compare September 14, 2025 10:38
…lcontextprotocol#398)

Changed GitHub API endpoint from /users/{username}/orgs to /user/orgs
to retrieve all organizations for the authenticated user.

## Problem
The /users/{username}/orgs endpoint only returns organizations where
the user's membership is public, causing 403 errors for users with
private organization membership when trying to publish.

## Solution
Using /user/orgs returns all organizations (public and private) for
the authenticated user, allowing them to publish to any organization
they belong to.

## Impact
- Users can publish to all their organizations without changing visibility
- Maintains existing security model (same auth token required)
- Resolves 403 permission errors for private org members
- Added test to ensure correct endpoint usage
@ossamalafhel ossamalafhel force-pushed the feature/fix-org-publishing-permissions branch from bcf9578 to 81c5647 Compare September 14, 2025 10:41
@ossamalafhel ossamalafhel changed the title fix: use authenticated user endpoint for fetching organizations (#396) fix: use authenticated user endpoint for fetching organizations (#398) Sep 14, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant