Asking for (file access) permissions on-the-fly

[Hoeze]

Hi, would it be possible to ask for permissions on-the-fly?
E.g. Slack has the issue that I cannot upload files from certain folders without having me overriding permissions on the CLI beforehand.

From a user's perspective, it would be nice if there would be a permission request dialog in such cases:

Do you want to allow `com.slack.Slack` to access `~/...`? 
-> [deny | allow once | allow always]

I'm thinking of an Android-like permission system.

[WhyNotHugo]

Correct me if I'm wrong, but the file-choose portal and document-portal do exactly this.

Firefox, for example, uses this, and you can select files in any local directory without it having access.

[smcv]

Using those portals requires the application to be using libraries that support it (such as GTK 3 or 4, and similarly recent Qt versions). High-quality Flatpak applications usually do that.

However, for proprietary apps like Slack where the maintainer of a Flatpak app is just repackaging someone else's proprietary binary, we do not get to choose how the app works - it is not under our control whether it uses the portals or not.

If the application does its own browsing for files and does not talk to the portals, then there is not a whole lot that Flatpak can do to make this better. If an app like Slack has its own UI for browsing for a file to upload (does it?), then displaying that UI already requires it to be able to access directory listings for every directory that you might browse into, but the filenames in those directories are already something that you are likely to want apps to be unable to see. For instance, if you have ~/Documents/Treatments for hair loss.pdf, you might not want applications to be able to see that - and the existence of the file is perhaps more sensitive than its actual contents. (This is a relatively silly example, but I'm sure you can imagine medical conditions, political groups, etc. that you wouldn't want to leak via filenames.)

The way this works with the file chooser portal is that the "Open..." or "Save as..." dialog is not part of the app, and can list all the filenames even though the app cannot. Only the selected file gets shared with the app, and only when you have finished browsing for it.

From a user's perspective, it would be nice if there would be a permission request dialog

If the application has its own UI for browsing for a file to upload, we cannot tell the difference between the app listing the contents of a directory because you asked it to, and the app listing the contents of all directories in the background so that it can do evil things with that information. But I suspect you don't want this UX either:

Slack wants to list files in /home/you
[Allow] [Deny]

Slack wants to list files in /home/you/Downloads
[Allow] [Deny]

Slack wants to list files in /home/you/Downloads/memes
[Allow] [Deny]

Slack wants to open /home/you/Downloads/memes/clean-all-the-things.png
[Allow] [Deny]

... and even to be able to implement a UX that bad, someone would have to write a FUSE filesystem that we could mount instead of the entire home directory.

[WhyNotHugo]

Please keep in mind that Electron already supports these portals, so it's mostly a matter of Slack updating their Electron version to the latest.

[vchernin]

While the file chooser originally should have been working with Electron 14, 16 appears to have better support for some reason. electron/electron#31258

[Mikenux]

Can't this issue be closed? (unless it makes sense in the context of portals)

[smcv]

Yeah, I think the answer is:

• high-level/conceptual: Asking for (file access) permissions on-the-fly #674 (comment)
• Slack and other Electron apps specifically: Asking for (file access) permissions on-the-fly #674 (comment)