brew cask zap prompt when Full Disk Access is needed #7587
Conversation
Do that in the rescue block. |
|
@reitermarkus do you mean do something other than try to delete the files the zap is supposed to? One way that I found being used elsewhere (not in homebrew, that is) was to look at the Safari bookmarks file (I'll try to find the source for that) which would not be accessible without full disk access. That doesn't feel like the right thing to do here. Maybe it's ok, but it seems weird to have homebrew looking at safari (or other application) files. Maybe there's a better way to test for access.
Do what exactly? I see the
|
In my dotfiles I am checking if
In the |
Ahh, I see what you mean. Is that preferable to using |
We should do this in addition to rescuing |
|
So right now I'm looking at something like: begin
yield path, Pathname.glob(resolved_path)
rescue Errno::EPERM
unless File.readable?('~/Library/Application Support/com.apple.TCC/TCC.db')
odie "Unable to remove some files. Please enable Full Disk Access for your teminal under " \
"System Preferences → Security & Privacy → Privacy → Full Disk Access."
else
raise
end
endIs that what you're thinking? |
Yep, something like that. |
|
I just tested locally and it seems for some reason |
|
It seems to be working with the file for me. I can try to switch to the directory instead though |
|
@reitermarkus Can you take another look at this? |
|
Thanks, @Rylan12! |
|
Homebrew does not allow us to run it under sudo mode for security reason, and at the same time, brew cask zap requires full disk access to be opened up to the Terminal app in Mac, which practically is giving almost sudo access to all programs, not just Homebrew. May be the message can be more specific about which directory the zap need access to? May be we can just grant access on those few directories? |
No, it is not. Disk access is not even close to
It depends entirely on each app. You’re free to |
Well, may be not super user access to the system, but giving "Full Disk Access" to "Terminal", which means I am granting the same permission to other apps (not Homebrew"). To me, that is worse than granting a temp sudo access to Homebrew. Kind of contradictory. Just my two cents. Thanks for the suggestion on using stanza, that is great. Cheers. |
brew stylewith your changes locally?brew testswith your changes locally?Fixes Homebrew/homebrew-cask#80835
This change adds a better error message for when
brew cask zapfails due to not having Full Disk Access.The error text can be easily changed if someone has better wording or a different message (I don't know if there are any guidelines for error messages)
Another possibility is to replace the
odieerror message with anopoowarning message. This will give a warning that the file wasn't able to be removed but will continue execution and remove the rest of the files that it is able to remove. A downside of this is that there would be an error message for each file that wasn't able to be removed. If this method is preferable, it wouldn't be too hard to have one error message at the end which lists all the files that weren't able to be deleted.I wasn't able to find a way to detect whether Full Disk Access is enabled without trying to do something that requires it and seeing if it fails, so adding a rescue block seemed like the right option.
Currently, though, this is a catch-all and it is probably better if it only catches the error caused by not having access. I wasn't able to figure out which error to
rescueso I left it as a catch-all. if anyone can figure out or guide me to figuring out which specific error should be caught I would appreciate it.Lastly, tests:
I don't have any tests written for this (per the checklist). I'm not sure exactly what would be tested so I won't write any for now.
Given some guidance on what should be tested, I'd be happy to have a go at writing them.