Feat: Add default permissions to most plugins (#1460)

* Add default permissions to most plugins.

Co-authored-by: chippers <[email protected]>
Co-authored-by: fabianlars <[email protected]>

* updated default description

* mobile plugin relevant changes

---------

Co-authored-by: chippers <[email protected]>
Co-authored-by: fabianlars <[email protected]>

plugins/autostart/permissions/autogenerated/reference.md

@@ -6,3 +6,13 @@
 |`deny-enable`|Denies the enable command without any pre-configured scope.|
 |`allow-is-enabled`|Enables the is_enabled command without any pre-configured scope.|
 |`deny-is-enabled`|Denies the is_enabled command without any pre-configured scope.|
+|`default`|This permission set configures if your
+application can enable or disable auto
+starting the application on boot.
+
+#### Granted Permissions
+
+It allows all to check, enable and
+disable the automatic start on boot.
+
+|

plugins/autostart/permissions/default.toml

@@ -0,0 +1,19 @@
+"$schema" = "schemas/schema.json"
+[default]
+description = """
+This permission set configures if your
+application can enable or disable auto
+starting the application on boot.
+
+#### Granted Permissions
+
+It allows all to check, enable and
+disable the automatic start on boot.
+
+"""
+
+permissions = [
+  "allow-enable",
+  "allow-disable",
+  "allow-is-enabled",
+]

plugins/autostart/permissions/schemas/schema.json

@@ -335,6 +335,13 @@
           "enum": [
             "deny-is-enabled"
           ]
+        },
+        {
+          "description": "default -> This permission set configures if your\napplication can enable or disable auto\nstarting the application on boot.\n\n#### Granted Permissions\n\nIt allows all to check, enable and\ndisable the automatic start on boot.\n\n",
+          "type": "string",
+          "enum": [
+            "default"
+          ]
         }
       ]
     }

plugins/barcode-scanner/permissions/autogenerated/reference.md

@@ -12,3 +12,11 @@
 |`deny-scan`|Denies the scan command without any pre-configured scope.|
 |`allow-vibrate`|Enables the vibrate command without any pre-configured scope.|
 |`deny-vibrate`|Denies the vibrate command without any pre-configured scope.|
+|`default`|This permission set configures which
+barcode scanning features are by default exposed.
+
+#### Granted Permissions
+
+It allows all barcode related features.
+
+|

plugins/barcode-scanner/permissions/default.toml

@@ -0,0 +1,20 @@
+"$schema" = "schemas/schema.json"
+[default]
+description = """
+This permission set configures which
+barcode scanning features are by default exposed.
+
+#### Granted Permissions
+
+It allows all barcode related features.
+
+"""
+
+permissions = [
+  "allow-cancel",
+  "allow-check-permissions",
+  "allow-open-app-settings",
+  "allow-request-permissions",
+  "allow-scan",
+  "allow-vibrate",
+]

plugins/barcode-scanner/permissions/schemas/schema.json

@@ -377,6 +377,13 @@
           "enum": [
             "deny-vibrate"
           ]
+        },
+        {
+          "description": "default -> This permission set configures which\nbarcode scanning features are by default exposed.\n\n#### Granted Permissions\n\nIt allows all barcode related features.\n\n",
+          "type": "string",
+          "enum": [
+            "default"
+          ]
         }
       ]
     }

plugins/biometric/permissions/autogenerated/reference.md

@@ -4,3 +4,11 @@
 |`deny-authenticate`|Denies the authenticate command without any pre-configured scope.|
 |`allow-status`|Enables the status command without any pre-configured scope.|
 |`deny-status`|Denies the status command without any pre-configured scope.|
+|`default`|This permission set configures which
+biometric features are by default exposed.
+
+#### Granted Permissions
+
+It allows acccess to all biometric commands.
+
+|

plugins/biometric/permissions/default.toml

@@ -0,0 +1,16 @@
+"$schema" = "schemas/schema.json"
+[default]
+description = """
+This permission set configures which
+biometric features are by default exposed.
+
+#### Granted Permissions
+
+It allows acccess to all biometric commands.
+
+"""
+
+permissions = [
+  "allow-authenticate",
+  "allow-status",
+]

plugins/biometric/permissions/schemas/schema.json

@@ -321,6 +321,13 @@
           "enum": [
             "deny-status"
           ]
+        },
+        {
+          "description": "default -> This permission set configures which\nbiometric features are by default exposed.\n\n#### Granted Permissions\n\nIt allows acccess to all biometric commands.\n\n",
+          "type": "string",
+          "enum": [
+            "default"
+          ]
         }
       ]
     }

plugins/clipboard-manager/permissions/autogenerated/reference.md

@@ -12,3 +12,9 @@
 |`deny-write-image`|Denies the write_image command without any pre-configured scope.|
 |`allow-write-text`|Enables the write_text command without any pre-configured scope.|
 |`deny-write-text`|Denies the write_text command without any pre-configured scope.|
+|`default`|No features are enabled by default, as we believe
+the clipboard can be inherently dangerous and it is 
+application specific if read and/or write access is needed.
+
+Clipboard interaction needs to be explicitly enabled.
+|

plugins/clipboard-manager/permissions/default.toml

@@ -0,0 +1,11 @@
+"$schema" = "schemas/schema.json"
+[default]
+description = """
+No features are enabled by default, as we believe
+the clipboard can be inherently dangerous and it is 
+application specific if read and/or write access is needed.
+
+Clipboard interaction needs to be explicitly enabled.
+"""
+
+permissions = []

plugins/clipboard-manager/permissions/schemas/schema.json

@@ -377,6 +377,13 @@
           "enum": [
             "deny-write-text"
           ]
+        },
+        {
+          "description": "default -> No features are enabled by default, as we believe\nthe clipboard can be inherently dangerous and it is \napplication specific if read and/or write access is needed.\n\nClipboard interaction needs to be explicitly enabled.\n",
+          "type": "string",
+          "enum": [
+            "default"
+          ]
         }
       ]
     }

plugins/deep-link/android/src/main/java/DeepLinkPlugin.kt

@@ -40,6 +40,8 @@ class DeepLinkPlugin(private val activity: Activity): Plugin(activity) {
         invoke.resolve(ret)
     }
 
+    // This command should not be added to the `build.rs` and exposed as it is only
+    // used internally from the rust backend.
     @Command
     fun setEventHandler(invoke: Invoke) {
         val args = invoke.parseArgs(SetEventHandlerArgs::class.java)

plugins/dialog/permissions/autogenerated/reference.md

@@ -10,3 +10,12 @@
 |`deny-open`|Denies the open command without any pre-configured scope.|
 |`allow-save`|Enables the save command without any pre-configured scope.|
 |`deny-save`|Denies the save command without any pre-configured scope.|
+|`default`|This permission set configures the types of dialogs
+available from the dialog plugin.
+
+#### Granted Permissions
+
+All dialog types are enabled.
+
+
+|

plugins/dialog/permissions/default.toml

@@ -0,0 +1,20 @@
+"$schema" = "schemas/schema.json"
+
+[default]
+description = """
+This permission set configures the types of dialogs
+available from the dialog plugin.
+
+#### Granted Permissions
+
+All dialog types are enabled.
+
+
+"""
+permissions = [
+    "allow-ask",
+    "allow-confirm",
+    "allow-message",
+    "allow-save",
+    "allow-open",
+]

plugins/dialog/permissions/schemas/schema.json

@@ -363,6 +363,13 @@
           "enum": [
             "deny-save"
           ]
+        },
+        {
+          "description": "default -> This permission set configures the types of dialogs\navailable from the dialog plugin.\n\n#### Granted Permissions\n\nAll dialog types are enabled.\n\n\n",
+          "type": "string",
+          "enum": [
+            "default"
+          ]
         }
       ]
     }

plugins/fs/permissions/autogenerated/reference.md

@@ -273,23 +273,27 @@
 |`deny-write-file`|Denies the write_file command without any pre-configured scope.|
 |`allow-write-text-file`|Enables the write_text_file command without any pre-configured scope.|
 |`deny-write-text-file`|Denies the write_text_file command without any pre-configured scope.|
-|`default`|# Tauri `fs` default permissions
-
-This configuration file defines the default permissions granted
-to the filesystem.
+|`create-app-specific-dirs`|This permissions allows to create the application specific directories.
+|
+|`default`|This set of permissions describes the what kind of
+file system access the `fs` plugin has enabled or denied by default.
 
-### Granted Permissions
+#### Granted Permissions
 
-This default permission set enables all read-related commands and
-allows access to the `$APP` folder and sub directories created in it.
-The location of the `$APP` folder depends on the operating system,
+This default permission set enables read access to the
+application specific directories (AppConfig, AppData, AppLocalData, AppCache,
+AppLog) and all files and sub directories created in it.
+The location of these directories depends on the operating system,
 where the application is run.
 
-In general the `$APP` folder needs to be manually created
+In general these directories need to be manually created
 by the application at runtime, before accessing files or folders
 in it is possible.
 
-### Denied Permissions
+Therefore, it is also allowed to create all of these folders via
+the `mkdir` command.
+
+#### Denied Permissions
 
 This default permission set prevents access to critical components
 of the Tauri application by default.
@@ -304,6 +308,9 @@ Allowing access can lead to sensitive information disclosure and should be well
 `$APPLOCALDATA/EBWebView` folder on windows as the webview data and configuration values are stored here.
 Allowing access can lead to sensitive information disclosure and should be well considered.|
 |`read-all`|This enables all read related commands without any pre-configured accessible paths.|
+|`read-app-specific-dirs-recursive`|This permission allows recursive read functionality on the application
+specific base directories. 
+|
 |`read-dirs`|This enables directory read and file metadata related commands without any pre-configured accessible paths.|
 |`read-files`|This enables file read related commands without any pre-configured accessible paths.|
 |`read-meta`|This enables all index or metadata related commands without any pre-configured accessible paths.|

plugins/fs/permissions/create-app-specific-dirs.toml

@@ -0,0 +1,23 @@
+"$schema" = "schemas/schema.json"
+
+[[permission]]
+identifier = "create-app-specific-dirs"
+description = """
+This permissions allows to create the application specific directories.
+"""
+commands.allow = ["mkdir"]
+
+[[permission.scope.allow]]
+path = "$APPCONFIG"
+
+[[permission.scope.allow]]
+path = "$APPDATA"
+
+[[permission.scope.allow]]
+path = "$APPLOCALDATA"
+
+[[permission.scope.allow]]
+path = "$APPCACHE"
+
+[[permission.scope.allow]]
+path = "$APPLOG"

plugins/fs/permissions/default.toml

@@ -2,27 +2,33 @@
 
 [default]
 description = """
-# Tauri `fs` default permissions
+This set of permissions describes the what kind of
+file system access the `fs` plugin has enabled or denied by default.
 
-This configuration file defines the default permissions granted
-to the filesystem.
+#### Granted Permissions
 
-### Granted Permissions
-
-This default permission set enables all read-related commands and
-allows access to the `$APP` folder and sub directories created in it.
-The location of the `$APP` folder depends on the operating system,
+This default permission set enables read access to the
+application specific directories (AppConfig, AppData, AppLocalData, AppCache,
+AppLog) and all files and sub directories created in it.
+The location of these directories depends on the operating system,
 where the application is run.
 
-In general the `$APP` folder needs to be manually created
+In general these directories need to be manually created
 by the application at runtime, before accessing files or folders
 in it is possible.
 
-### Denied Permissions
+Therefore, it is also allowed to create all of these folders via
+the `mkdir` command.
+
+#### Denied Permissions
 
 This default permission set prevents access to critical components
 of the Tauri application by default.
 On Windows the webview data folder access is denied.
 
 """
-permissions = ["read-all", "scope-app-recursive", "deny-default"]
+permissions = [
+    "create-app-specific-dirs",
+    "read-app-specific-dirs-recursive",
+    "deny-default",
+]

plugins/fs/permissions/read-app-specific-dirs-recursive.toml

@@ -0,0 +1,31 @@
+"$schema" = "schemas/schema.json"
+
+[[permission]]
+identifier = "read-app-specific-dirs-recursive"
+description = """
+This permission allows recursive read functionality on the application
+specific base directories. 
+"""
+commands.allow = [
+    "read_dir",
+    "read_file",
+    "read_text_file",
+    "read_text_file_lines",
+    "read_text_file_lines_next",
+    "exists",
+]
+
+[[permission.scope.allow]]
+path = "$APPCONFIG/**"
+
+[[permission.scope.allow]]
+path = "$APPDATA/**"
+
+[[permission.scope.allow]]
+path = "$APPLOCALDATA/**"
+
+[[permission.scope.allow]]
+path = "$APPCACHE/**"
+
+[[permission.scope.allow]]
+path = "$APPLOG/**"