do not require user scope for /auth/github

lib/travis/api/app/endpoint/authorization.rb

@@ -220,7 +220,7 @@ class Travis::Api::App
         def user_for_github_token(token, drop_token = false)
           data   = GH.with(token: token.to_s) { GH['user'] }
           scopes = parse_scopes data.headers['x-oauth-scopes']
-          halt 403, 'insufficient access' unless acceptable? scopes
+          halt 403, 'insufficient access: %p' unless acceptable? scopes
 
           user   = UserManager.new(data, token, drop_token).fetch
           halt 403, 'not a Travis user' if user.nil?
@@ -251,6 +251,7 @@ class Travis::Api::App
 
         def acceptable_scopes_for(scope)
           case scope = scope.to_s
+          when /^user/       then ['user', scope, 'public_repo', 'repo']
           when /^(.+):/      then [$1, scope]
           when 'public_repo' then [scope, 'repo']
           else [scope]

spec/unit/endpoint/authorization_spec.rb

@@ -26,8 +26,8 @@ describe Travis::Api::App::Endpoint::Authorization do
   describe 'POST /auth/github' do
     before do
       data = { 'id' => user.github_id, 'name' => user.name, 'login' => user.login, 'gravatar_id' => user.gravatar_id }
-      GH.stubs(:with).with(token: 'private repos').returns stub(:[] => user.login, :headers => {'x-oauth-scopes' => 'user,repo'}, :to_hash => data)
-      GH.stubs(:with).with(token: 'public repos').returns  stub(:[] => user.login, :headers => {'x-oauth-scopes' => 'user,public_repo'}, :to_hash => data)
+      GH.stubs(:with).with(token: 'private repos').returns stub(:[] => user.login, :headers => {'x-oauth-scopes' => 'repo'}, :to_hash => data)
+      GH.stubs(:with).with(token: 'public repos').returns  stub(:[] => user.login, :headers => {'x-oauth-scopes' => 'public_repo'}, :to_hash => data)
       GH.stubs(:with).with(token: 'no repos').returns      stub(:[] => user.login, :headers => {'x-oauth-scopes' => 'user'}, :to_hash => data)
       GH.stubs(:with).with(token: 'invalid token').raises(Faraday::Error::ClientError, 'CLIENT ERROR!')
     end