Permissions - gd-99/symbiogd GitHub Wiki

Here are a list of permissions in the webos :

  • file.user.read: read files stored in the user's home folder, ~
  • file.user.write: write files in the user's home folder
  • file.home.read: read files in /home
  • file.home.write: write files in /home
  • file.system.read: read system files (all files, /)
  • file.system.write: write system files
  • user.read: read other users data (username,e-mail...)
  • user.edit: edit other users
  • user.self.edit: edit current user's data
  • user.manage: manage users (set permissions...)
  • package.read: read installed packages
  • package.manage: install packages

Users have each a set of permissions (see #332 for user groups). These permissions can be changed using System settings app.

Permissions and controllers

Quick overview

A controller is a part of the webos HTTP API. A controller contains methods, e.g. the file controller has methods to read and write files.

Each method has some restrictions: some methods requires some permissions. These permissions are stored in /etc/permissions/api (one JSON file by controller).

For example, /etc/permissions/api/file.json is containing permissions required for the file controller.

Arguments can be specified to methods. Basically, if you want to copy a file, you have to provide the source path and the destination path. Permissions can be required on these arguments. Here, the permission to read the source file and write the destination file.

Thus, permissions can be associated to methods and arguments.

Under the hood

Let's take our example of the method which copies a file. Here is how its permissions are stored in the JSON file:

{
	"executeCopy":[
		{
			"argument":0,
			"permission":"file.read"
		},
		{
			"argument":1,
			"permission":"file.write"
		}
	]
}

The first argument is the source file, it requires the permission file.read, and file.write for the destination file.

Then, according to the given argument, the permission is translated to be compared with the user's permissions. If the first argument is a file stored in the user's home folder, the permission required to execute the action becomes file.user.read, if it is a file in /home it becomes file.home.read and if it is a system file file.system.read. Permissions are finally compared and the method is not executed if the user doesn't have enough permissions to do that.