Reduce file access, add StatusNotifierWatcher for KDE #20
Conversation
Closes flathub#19 , improves security. Possibility of closing flathub#13, needs testing
|
Started test build 35878 |
|
Build 35878 failed |
|
Started test build 35879 |
|
Build 35879 failed |
|
Started test build 35880 |
|
Build 35880 successful |
|
Thank you. I used this version for a day and it seems sort of ok. But I don't like that whan I'm saving a file somewhere into my For Slack it's different. The app always saves files into I don't want to make people angry and silently drop their files. So in my opinion we should wait until Mattermost Desktop notifies you when you haven't enough permissions to write the file into the selected destination or something like that. Does that make sense to you? |
|
Hi, thank you for your time to test and review this. This behaviour is unfortunate, but I would rather perhaps open up the :ro tags on those folders, if possible. I think this would still be quite a big upgrade from the current state of the app having access to all of $HOME while still supporting majority of the use cases. What do you think? |
|
Can @TingPing, @nedrichards, @barthalion or some other flatpak guru help us to decide? |
|
Hi Petr,
I am everything but a flatpak expert but I do have a similar problem with the Signal flatpak app. This one has the rw permissions set to xdg-downloads (IIRC) and saving a file somewhere else silenty fails. I you ask me this is an UX nightmare.
I have the weird feeling that this is something that would need addressing in Electron (?) so file save/read would use portals which shouldn't require the permissions (at least if I understood portals correctly). I'll be interested to hear what the actual flatpak gurus say.
Thanks for the fish^Wping
…On Mon, Jan 4, 2021, at 22:01, Petr Stefan wrote:
Can @TingPing <https://github.com/TingPing> or @apollo13
<https://github.com/apollo13> or some other flatpak guru help us to
decide?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#20 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAT5C35IHSOA66WUP47YZDSYIUB5ANCNFSM4VR2F35A>.
|
|
If it's broken in a not visible way, I don't think we want to go with this. |
|
Electron 14 will let apps use the xdg-desktop-portal file chooser which should eliminate the need to grant Mattermost any file system access. Users will be able to choose any file/folder securely through the use of the portal. Currently Mattermost is on Electron 12. In the meantime, for those who want to grant Mattermost Flatpak less file access, I recomend either using the command line
|
|
I dont think this is needed anymore, closing |
|
I'm confused by the closing. Electron now added proper save dialog support, so surely now is the time to actually do this. When Mattermost updates to Electron 14 of course |
|
I've just tested this again with Mattermost 5.1.0-rc1 on Electron 18 and it's still bad. When you save a file into let's say your home folder, the file downloads and there is also notification that the download finished. So far so good. When you try to save another file into the same location, you'll see the previous file there, but when you open the same exact directory from the file manager on the computer, the file just isn't there. And if you try to download a file into Documents, it isn't event downloaded at all. I don't know what I'm missing, but I think that we'll just keep write permissions for home filesystem. |
|
It sounds like the portal isn't being used for some reason. |
|
Just letting you guys know that I don't use mattermost anywhere anymore and currently don't really have a linux system handy, so it's up to you :) I will watch the thread and be happy to edit the PR as needed, though :) |
|
Started test build 87153 |
|
Build 87153 failed |
|
Hi @fourstepper, thanks. I'd close this PR since I don't want to merge it anytime soon and I'd keep track of home permissions in issue #19. |
|
@SemaiCZE ok, closing :) |
Closes #19 , improves security.
Possibility of closing #13, needs testing