-
-
Notifications
You must be signed in to change notification settings - Fork 194
The Permission Store
Portals use the permission store to keep information about the permissions that a user has given for apps.
By design, permissions are generally handled in the portal frontend, xdg-desktop-portal. Keeping permissions out of the UI backends helps to ensure a consistent behavior and makes it easier to write backends. One example of this design principle is the OpenUri portal, where the frontend deals with permissions and the launching of the selected handler, and the backend just provides an application chooser dialog.
The permission store keeps its data in multiple tables. Each table is stored as a GVariant in a file in $XDG_DATA_HOME/flatpak/db. The tables correspond to the portals that use the permission store. All tables have the same general format: a list of objects (identified by a string ID) for which permissions apply, and for each object a list of subjects (identified by and application ID) and permissions, Optionally, extra data can be associated with each object. The permissions are stored as a free-form string the format of which depends on the table in question.
Beyond the general object/subject/permissions format, the format of permissions and extra data in each table is an implementation detail of the portals using the table. The documentation here is provided for debugging purposes.
The documents table is used by the document portal.
Each object is a file in the document portal, represented by its ID.
The permissions are a comma-separated list with the possible entries "read", "write", "delete" and "grant-permissions".
The extra data for each object is a GVariant with this format: (ayttu) containing the path, the st_dev and st_ino fields from stat, and a flags field that can have the values
- DOCUMENT_ENTRY_FLAG_UNIQUE: 1
- DOCUMENT_ENTRY_FLAG_TRANSIENT: 2
Example:
- documents
- 107c97e4 (b'/home/mclasen/Pictures/forget-me.png',64771,3670087,0)
- org.gnome.Recipes "read,grant-permissions"
- org.gnome.Eog "read,write,delete"
- 107c97e4 (b'/home/mclasen/Pictures/forget-me.png',64771,3670087,0)
The notifications table is used by the notification portal.
It uses only a single object with the fixed ID "notification" and no extra data.
The permission string can be either "yes" or "no".
Example:
- notifications
- notification 0x0
- org.gnome.Recipes "yes"
- org.gnome.Eog "no"
- notification 0x0
The desktop-used-apps table is used by the OpenURI portal.
Each object is a content format, represented by a mime type or x-scheme-handler (pseudo-mimetype). No extra data is used.
The permission string consists of 2 or 3 comma-separated fields. The first is the application ID of the last-used handler, the second is a use count, and the optional third a threshold number that will be used, if defined, along with the use count field to determine whether to present and app chooser dialog or just launch the application directly.
Example:
- desktop-used-apps
- x-scheme-handler/mailto 0x0
- org.telegram.desktop "evolution,1"
- org.gnome.Recipes "evolution,3,5"
- x-scheme-handler/mailto 0x0
By default, no thresholds are set for any installed flatpak application, meaning that the comparison against the use count won't ever be performed unless such thresholds are explicitly set, for which we'll need additional tooling that we don't have in place yet.
Therefore, in this default scenario (no thresholds) the app chooser dialog would always be shown, but to make the experience less frustrating we have defined a few exceptions where the dialog would be skipped, if ALL the following conditions are met:
- The mime type is
inode/directory
OR the x-scheme-handler is eitherhttp
orhttps
. - There is a default application to handle the URI OR only one candidate application available.
For instance, the relaxed rules above mean that you won't ever see the app chooser dialog if you try to open a web page or a file:///path/to/directory
URI and you either have a default handler defined for them (e.g. GNOME Web, Nautilus) or you don't have any default explicitly defined but no other alternative apps available to handle such URIs.
Remeber that these relaxed rules will only be applied if no threshold is defined. As soon as a threshold is in place, the decision of skipping the dialog will only be based on such threshold and the use count.
The devices table is used by the Device portal (which in turn is used by pulseaudio).
It has objects that represent a fixed set of common devices: "speakers", "microphone", "camera", and does not use extra data.
The permission string can be "yes", "no", or "ask".
Example:
- devices
- speakers
- org.telegram.desktop "yes"
- org.gnome.Rhythmbox3 "ask"
- speakers
The location table is used by the Location portal (which uses geoclue).
It uses only a single object with the fixed ID "location" and no extra data.
The permissions string for each application entry consists of the allowed accuracy and the last-use timestamp (using monotonic time). The possible values for the accuracy are NONE, COUNTRY, CITY, NEIGHBORHOOD, STREET, EXACT.
Example:
- location
- location
- org.gnome.PortalTest CITY,1234131441
- org.gnome.Todo EXACT,00909313134
- org.gnome.Polari NONE,0
- location
The portal will only set the accuracy to EXACT. A different UI could let the user specify more limited accuracy.