sandbox :get NSData using bookmarkDataWithOptions method of NSURL without NSOpenPanel - cocoa

I enabled sandbox and I want to create data by bookmarkDataWithOptions.
If the URL is created by NSPanel that work very well. But, If I obtain URL without using NSOpenPanel, the bookmarkDataWithOptions method always return nil. why?
thank about If I want to set a special folder default can read/write without using NSOpenPanel.
How can i do?
Thanks

The main feature of the Sandbox is security. If an application could read/write an arbitrary folder without user permission, the security would be broken.
The App Sandbox Design Guide states clearly:
• Simulation of user input in Open and Save dialogs:
if your app depends on programmatically manipulating Open or Save dialogs to simulate or alter user input, your app is unsuitable for sandboxing.
The only way to achieve something similar, is to add a read/write entitlement to one of the preset directories (Documents, Pictures, Music, etc…). For further documentation, take a look at this guide.

Related

What does startAccessingSecurityScopedResource() actually do?

I'm making a sandboxed Mac app, and I used NSOpenPanel to get a file URL, and saved it to UserDefaults as a security-scoped bookmark. When I quit and restart the app, I can resolve that blob of Data into a URL again.
The documentation says I should call startAccessingSecurityScopedResource(), and check its return value. (That does return true when I call it.) But if I don't call that, I've still got a resolved URL, and I still appear to have permissions to access it.
What does startAccessingSecurityScopedResource() actually do? Is there anything bad that can happen, if I don't call it?
As long as your app only accesses files in standard locations (Downloads, Music
Movies, Pictures) and you included the required entitlements for programmatic file and folder access in your app, you don't need to store security scoped bookmarks for those locations.
But for other locations that should remain accessible after the app has been restarted, you should store security scoped bookmarks and call startAccessingSecurityScopedResource() before access. If you skip that step, you'll get an exception as soon as you try to access that file.
startAccessingSecurityScopedResource() makes the security scoped bookmark's resource available to your app's sandbox thus granting you access to that resource.

Correct directory for NSPersistentDocument OSX

I am writing a shoebox type application wherein a user enters data into a single window. I’ve configured the data model with Code Data. Apple’s documentation states that user data should be stored in a Library Directory, however the auto-generated code seems to make a directory in the Application Support directory where one, the documentation also states, “should never store user data.” Which is correct?
The other question I have is should I not create an instance of NSPersistentDocument in the applicationDidFinishLaunching method?
User-created data should be managed by the user: the user should decide where they are saved, etc.
Application-created data would indeed belong in the application support directory. If your application creates an NSPersistentDocument without user intervention, this would be the correct place to store it. For example, if you were using NSPersistentDocument to manage application data it would belong in a sandboxed directory such as NSApplicationSupportDirectory.
The File System Programming Guide goes into this in more detail.

AppleScript application can't get rights in Accessibility

I'm having trouble with my own AppleScript applications and Accessibility in "Security & Privacy".
I've written an application called "open cubase" that I've granted accessibility rights. I used Apple's advice on how to prevent repeated re-authorization (http://support.apple.com/kb/HT5914). But now even when the application is listed and selected in the Accessibility list, it says that it doesn't have assistive access.
And when I'm using
sudo sqlite3 /Library/Application\ Support/com.apple.TCC/Tcc.db 'SELECT * FROM access WHERE client LIKE "%%"'
to check what's going on, I can see this:
kTCCServiceAccessibility|com.atonus.open-cubase|0|1|0|??
Why is there ?? at the end of that? Is there anyone who would know how to resolve this?
I'm using OSX 10.9.2.
Update, based on feedback from the OP:
The OP's issue is not the use of property statements that normally cause an AppleScript-based application to self-modify the application bundle's embedded Contents/Resources/Scripts/main.scpt script file when property values change at runtime.
However, Apple's workaround at http://support.apple.com/kb/HT5914
IS specifically meant to address not requiring re-authorization as a result of this self-modification issue for a given version of an application.
is NOT meant to allow updating the app (changing its source code or resources) without re-authorization.
For security reasons there is NO way to grant one-time authorization to an app based on its bundle ID and then keep it authorized no matter how it changes (e.g., through updates).
You have two options:
Either: Re-authorize the application every time you update it.
After updating your app, go to System Preferences > Security & Privacy > Privacy > Accessibility and toggle the checkmark next to the list item representing your application (if you application isn't there, drag it there).
Note: With Apple's workaround in place - which for security reasons is NOT a good idea unless you truly need to use property statements that persist their values - it may be sufficient to re-sign the application - haven't verified that.
Or: Use a workaround - not recommended for security reasons:
Make your app an unchanging wrapper that loads the true script code at runtime from a location OUTSIDE the app bundle - that way, the app stays the same and doesn't require re-authorization even if the script file loaded at runtime changes.
Example: Say your true script code - involving code requiring assistive access - is stored as ~/Desktop.test.scpt; your wrapper application, once authorized, can then invoke that script with run script file ((path to home folder as text) & "Desktop:test.scpt")
I don't have a specific explanation, but a recommendation:
Do not use properties (e.g., property FNAME : "Input.txt") in your AppleScript-based applications: AppleScript persists these automatically (preserves their values between runs), but the feature is implemented awkwardly (the persisted values are written to the *.scpt file itself - this is what causes the repeated authorization problem) and flimsily (if you modify your application and save (the *.scpt file at the heart of the) application again, previously persistent values are lost).
If you stay away from properties, the problem with repeated authorization simply goes away (unless you update your application). You can roll your own persistence, e.g., via AppleScript's support for .plist (property-list) files (see the System Events dictionary).
You also won't need the workaround described in the linked support article (http://support.apple.com/kb/HT5914), which is also a plus, given that the workaround is based on opening up a security hole.
As for your specific question:
The ?? is the - unhelpful - representation of the csreq columnn value from the TCC.db database and is not a problem per se; OSX manages that column behind the scenes; it contains a fingerprint of sorts identifying the application in its specific current form (similar to an MD5 hash, though I have no idea what is actually being used), so as to be able to detect tampering later.
However, I suspect you may be looking at the wrong database entry:
I'm puzzled by your bundle ID being com.atonus.open-cubase: if your app is an AppleScript-based *.app bundle, its bundle ID would have the fixed prefix com.apple.ScriptEditor.id., e.g., com.apple.ScriptEditor.id.open-cubase. Did you manually modify the bundle ID via the bundle's Info.plist file, or am I missing something?
When the OS determines tampering/a change in an authorized application:
It resets the allowed column value to 0, i.e., revokes authorization
It resets the csreq column value to NULL.
Thus, after you've seen the ... is not allowed assistive access dialog, the database entry should be reported as kTCCServiceAccessibility|com.atonus.open-cubase|0|0|1| - note the changed Boolean flags and the absence of the ?? at the end.

How do I access the Request object from RazorViewEngine?

I have subclassed RazorViewEngine so I can check for Request.Browser.IsMobileDevice and add a special mobile identifier to the view file name for it to grab. However I can't access the Request object. What should I do?
You can use either the HttpContext.Current.Request or Context.Request. Although understand how that IsMobileDevice works. It uses a browser file which contains a list of known user agents. As soon as a new device is built, that list is outdated, but in some cases may still identify the device to be mobile correctly. The recommended way is to use 51Degrees or to connect to the services it encompasses directly.

Blackberry setting permission to inject events (esc button to jump back to app)

I am taking photo by invoking the camera, and as many have explained I get back to the app using...
EventInjector.KeyEvent inject = new EventInjector.KeyEvent(EventInjector.KeyEvent.KEY_DOWN, Characters.ESCAPE, 0);
inject.post();
inject.post();
... in a FileSystemJournalListener.
This works on the simulator but does not on my device (Bold 9900). How do I set the permission for the app programatically so that this will work on a device without the user having to set permissions manually?
Cheers
You have to test for the permissions you have, then request the ones you don't have but need. Here's a hint. Don't be a shmuck like so many other app developers. Ask for permissions on first run and take what you're given. If you aren't given a permission that you need inform the user that you can't run without that permission, and give them the option of going through your permission dialog again. If you don't get a permission which is not critical, and InputSimulation is far to dangerous a permission IMHO to be considered critical to put the camera away, run but inform the user (at the appropriate time) that s/he has to do some manual stuff. Like put the camera away after taking a picture.
The classes you will need to use are ApplicationPermission, ApplicationPermissionManager and ReasonProvider.

Resources