Finder Sync App Extension `selectedItemURLs()` should receive "User Selected File" Sandbox file access.
| Originator: | peter.kamb | ||
| Number: | rdar://42874694 | Date Originated: | August 2 2018 |
| Status: | Open | Resolved: | |
| Product: | macOS + SDK | Product Version: | |
| Classification: | Reproducible: | 100% |
Area:
App Sandbox
Finder Sync App Extension `selectedItemURLs()` should receive "User Selected File" Sandbox file access.
The Finder Sync App Extension is Sandboxed and has "user-selected files read only" File Access:
```
<key>com.apple.security.files.user-selected.read-only</key>
<true/>
```
The Finder Sync app is set to monitor the entire file system via `directoryURLs`:
```
FIFinderSyncController.default().directoryURLs = [URL(fileURLWithPath: "/")]
```
With the Finder Sync app running, I receive notifications for all Context Menus called on the entire system.
For example, the FinderSync app gets the following data when right-clicking a set of files on the Desktop:
```
{ selectedItemURLs = (
{ url = { relative = "file:///Users/user/Desktop/bug_report.txt"; }; },
{ url = { relative = "file:///Users/user/Desktop/IMG_1.jpg"; }; },
{ url = { relative = "file:///Users/user/Desktop/IMG_2.jpg"; }; },
{ url = { relative = "file:///Users/user/Desktop/IMG_3.jpg"; }; },
);
targetedURL = { url = { relative = "file:///Users/user/Desktop/"; }; };
}
```
These are "user selected files" that the user has physically selected and then right-clicked. The system is giving the URLs to my Finder Sync app extension. The App Extension should be able to use the files.
HOWEVER, there is an issue. These files are seemingly not receiving the same "User-Selected File" sandbox permisions as they would from an Open Panel. So, when I try to actually DO anything with the files that have been selected by the user, the sandbox is denying my action:
> The application “MyFinderSync” does not have permission to open “IMG_1.jpg.”
I am instead forced to add a Sandbox TEMPORARY EXCEPTION for read-only access to All Files:
```
<key>com.apple.security.temporary-exception.files.absolute-path.read-only</key>
<array>
<string>/</string>
</array>
```
I do not want to add a temporary exception, both for security reasons and to avoid having issues with App Store Review.
EXPECTED RESULTS:
The file urls received from a Finder Sync App Extension should count as "USER SELECTED FILES" as far as Sandbox access is concerned.
FinderSync app extensions should have a new level of access that allows them to interact with all of the files granted to them via `FIFinderSyncController.default().directoryURLs`
Comments
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!