User removed even though all requirements were addressed

[epoberezkin]

The comment was added:

Removing @... from organisation. These were the outstanding requirements:

[rtyley]

Hmm, must be something going wrong in https://github.com/guardian/gu-who/blob/666997a77e/app/lib/OrgUserProblems.scala#L80-L94 . Do you run gu-who frequently or manually every once in a while? There might be a bit of a race condition that gets exposed if gu-who runs are far apart.

Possibly we don't see this issue at the Guardian because we're running gu-who on an organisation webhook, so it gets run pretty frequently.

[epoberezkin]

There was a big gap indeed, we were trying to get access to some bot account that would be removed otherwise (and it was, correctly).
We plan to start running it regularly as cron job. Hook seems insecure to be honest - the token with owner privileges will be visible to all org members. Or am I missing something?

[rtyley]

There was a big gap indeed, we were trying to get access to some bot account that would be removed otherwise (and it was, correctly).

If you add the bot to a team called bots the 2FA requirement will be waived, but the other two won't - I guess the full-name requirement could have got you there.

Hook seems insecure to be honest - the token with owner privileges will be visible to all org members.

The GitHub docs aren't very clear on this, but I believe it's just org owners who have access to the Settings tab that org webhooks fall under - I tried viewing the webhook with a colleague's account and they were unable to see those settings.

[epoberezkin]

Yes, the full name
You're right about the hook, I thought it would be visible to all members. Easier than cron job indeed