Login/Register
Read and Write access for FinderSync extension in a sandboxed environment
Asked Answered
macossandboxread-writefindersync
S

2

9

The scenario

The user right-clicks a directory in Finder and finds a custom MenuItem. Clicking that Item will tell my app to open up a window where the user can do his work. When he is finished files need to be written to to the folder he selected by right-clicking.

The Problem

I got everything to work now, but the very last part. The extension can't write to the selected folder.

The user selecting the folder he wants to interact with seems to not be part of the Powerbox which - how I understand it - is only activated with openPanel and savePanel. How do I get the rights to interact with the folder that the user selected through my menu item? I can't find a reference to any possible solution to that problem in the developer library. Not in the sandboxing guide not in the extensions guide.

The possibility to add custom menu items would be rather useless if there was no way to use the selected files and folders so I'm sure there must be a way for accessing them.

Maybe the way I'm trying to write is wrong. My main app writes a temporary file into a shared group folder. After that it sends a notification that the extension listens to:

func copyFile(notification:NSNotification)
{
    NSLog("write file")

    if let target = tmpTarget
    {
        let secureContainer = NSFileManager.defaultManager().containerURLForSecurityApplicationGroupIdentifier("group.de.enie.Nu")
        let contents = NSFileManager.defaultManager().contentsOfDirectoryAtURL(secureContainer!, includingPropertiesForKeys: nil, options: NSDirectoryEnumerationOptions.SkipsHiddenFiles | NSDirectoryEnumerationOptions.SkipsPackageDescendants | NSDirectoryEnumerationOptions.SkipsSubdirectoryDescendants , error: nil)
        
        for content in contents as! [NSURL]
        {
            NSLog("tmp data: \(content.path!)")
            if content.lastPathComponent!.stringByDeletingPathExtension == "SharedData"
            {
                NSLog("found shared file")
                
                NSFileManager.defaultManager().copyItemAtURL(content, toURL: target.URLByAppendingPathComponent(content.lastPathComponent!), error: nil)
                
                NSFileManager.defaultManager().removeItemAtURL(content, error: nil)
            }
        }
        tmpTarget = nil
    }
}

The attempt to write the file results in these console notifications:

  • open on /Users//Desktop/SharedData.png: Operation not permitted
  • deny file-write-create /Users//Desktop/SharedData.png

Any ideas how to get access to user selected folders are appreciated.

Update

I just reassured that I did no mistakes in any way. While I'm allowed to access folders via the NSOpenPanel (which means entitlements should be right) I can not create folders in / or even bookmark the target url of my default FIFinderSyncController.

Silvanus answered 16/5, 2015 at 13:18 Comment(0)
C
3

Even though the Finder Sync App Extension is granted "User Selected File" Sandbox File Access, the selectedItemURLs() files accessed by the user via Finder Sync App Extension right-click seemingly do not count as being "user-selected". The sandbox thus denies your Finder Sync app access to those files.

As the other answer notes, the only way around this is to use a temporary entitlement for wider file access. Or to use a Powerbox NSOpenPanel to have the user select a containing folder, and use that security-scoped bookmark to access the sandboxed files.

Please duplicate my Apple bug report requesting this behavior be allowed:

Finder Sync App Extension selectedItemURLs() should receive "User Selected File" Sandbox file access.

rdar://42874694
https://openradar.appspot.com/radar?id=5063363058991104

Crosscheck answered 3/8, 2018 at 17:33 Comment(0)
A
2

You should be able to write to the selected file if you grant the entitlement: com.apple.security.files.user-selected.read-write

Arboreal answered 22/5, 2015 at 23:56 Comment(5)
Thank you for your reply and yes I also think that this I should get read and write access with this entitlement. But I don't. I didn't mention this in my post but this is exactly what I've tried but I could not read or write any files. Apple's sandboxing documentation only states that you can read/write files with this entitlement, when the user selected the file in an NSOpenPanel. I already tested file access with an open panel and it worked so there should be no problems with my entitlement settingsSilvanus
Ah, in that case, you might need to use a temporary entitlement like com.apple.security.temporary-exception.files.home-relative-path.read-write. However, your app might be rejected if you submit it to the App Store.Arboreal
Thank you for that advice. For now I can write files where the user wanted me to write them. As suggested in the temporary entitlement docs I'll post a bug report that it should be possible to get access to the user selected folder. I'll write another comment as soon as I know if Apple rejected the app because of that or not.Silvanus
@Silvanus did you post bug report on apple about temporary entitlement? I getting same issue with Finder sync extension. Did you get any solution ?Natashianatassia
@SwapnilTandel yes I wrote a bug Report but I have not heard anything from apple for 2 years now. Bug ReportSilvanus

© 2022 - 2024 — McMap. All rights reserved.