On 5/12/2022 2:25 PM, Richard Gaskin via use-livecode wrote:
Bob Sneidar wrote:
> I don't think the latest Apple operating systems allow the writing
> to the App Support folder, even if you have explicit write
> permissions.
Where are we supposed to write application support files if not to
Application Support?
First they demanded control of the file format apps use for Prefs, now
this...
I did a little bit of research when I ran into my app breaking on
Catalina and up when trying to reach a folder at
specialFolderPath("temporary") and write files in that folder. The
problem is that newer macOSes use an runtime algorithm to try to
determine when an application is asking for access in "special" places.
If the algorithm detect special access (sat to the Desktop or Documents
folder or a Webcam and so on) the OS pops up the "Do you want to allow
.. " dialog for the user to allow or deny access. An application signed
and notarized WITH entitlements can specify some entitlements that are
checked and if the App has declared these entitlements to protected
resources, they are allowed. Some "protected" resources have NOT
corresponding entitlements (at least currently). For disk access to
folder paths without entitlements, the user can grant an application
Full Disk Access, from System Preferences > Security, but and App can
not specify an entitlement for Full Disk Access. It must be granted by
the user.
Further, an Apple Engineer is a forum response (or someone claiming to
be an Apple Engineer) noted that the algorithm to detect requests for
special access resources can make mistakes and not recognize a request
as a request and there for present a dialog to the user for allowing or
denying and the default is to deny. So some circumstances, like apps
runningĀ in multiple processes (was an example cited, but it was implied
there are other circumstances) your app MIGHT get the allow/deny dialog
OR it might not - depending on your app. And for some resources, it just
won't get any dialog and no entitlement will allow access, only
instructions to the user to grant Full Disk Access (or some other
similar ONLY allowed by the user permissions) will work.
In short, Apple's sandboxing is a developer mess. If you can, placing
files in the Documents folder is best as (A) you can specify the
Documents folder in an entitlement and (C) the sandboxing algorithm does
seem to always detect (first time) Documents access requests and pop up
the dialog.
DISCLAIMER: I did not have time to research this in detail and the
"apple engineer" may or may not have been a real Apple engineer or knew
what they were posting about. Our installer asks people on the last
screen to grant our apps full disk access (if they are on Catalina+) and
most people do and it solved a lot of recoding.
_______________________________________________
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
