tauri-docs icon indicating copy to clipboard operation
tauri-docs copied to clipboard

Published 20 hours ago verified publisher icon tauri-apps

"core layer" is unclear

Open elibroftw opened this issue 3 years ago • 12 comments

In https://tauri.app/v1/api/js/modules/fs#security, we are only told "if you need access to arbitrary filesystem paths, you must write such logic on the core layer instead" but what does "core layer" entail? Would we have to use Rust ourselves? Why make life difficult for us? This is such a nuisance in the name of security.

elibroftw avatar Jun 30 '22 20:06 elibroftw

The FS APIs expect a path relative to one of the base directories. To bypass that you need to write your own Rust command, like:

#[tauri::command]
async fn read_file(path: std::path::PathBuf) -> Vec<u8> {
	std::fs::read(path).unwrap()
}

For security reasons we won't allow arbitrary paths.

lucasfernog avatar Jul 04 '22 17:07 lucasfernog

Security aside, I'm asking to improve the docs to use more explicit terms than "core layer"

elibroftw avatar Jul 04 '22 18:07 elibroftw

welp, we introduced core and core layer to make the docs clearer, guess that didn't work out 😅 Do you have suggestions? Just calling it "rust", "rust layer" or "the rust side"?

p.s. for what it's worth we explain the concept of the core side in the architecture section

FabianLars avatar Jul 04 '22 21:07 FabianLars

Rust layer will probably be clearer for everyone (not everyone will read the architecture section).

lucasfernog avatar Jul 04 '22 22:07 lucasfernog

Rust side. Core layer communicates internal aspects whereas core process is clear. I thought we might have to edit the library ourselves but then I just assumed the rust side would work. I asked for clarification since the wording acted like there are many restrictions rather than just the front-end one.

elibroftw avatar Jul 04 '22 23:07 elibroftw

And I started using tauri in January. I'm creating a tutorial series for people.

Tauri & ReactJS - Modern Desktop App Tutorial: https://www.youtube.com/playlist?list=PLmWYh0f8jKSjt9VC5sq2T3mFETasG2p2L

elibroftw avatar Jul 04 '22 23:07 elibroftw

Is the change implemented? Because I saw core layer right now, and i was also confused.

ihsan6133 avatar Jul 26 '23 07:07 ihsan6133

Nope, that's why this issue is still open :)

FabianLars avatar Jul 26 '23 08:07 FabianLars

Is "core layer", as a term, defined somewhere on a dedicated paragraph/page? Because the line quoted in the original post of this thread could be completely solved with a link to the definition of "core layer".

Further, the reason it's confusing is because those docs tend to be wall to wall with connective links, which is great. However this specific sounding term is unlinked and does not appear in search results of the docs.

https://tauri.app/v1/api/js/fs/#security A link on this paragraph would fix this issue.

  • The fs page refers to "core layer"
  • An early post in this thread refers to"core side"
  • The page refers to "core ecosystem"

Yes, I was just now confused by this issue.

I understand how completely walling off the entire filesystem is attractive from a security standpoint. I'm not a fan of it (for my own selfish reasons), but I totally understand it. It's hard for people to break in to your house if you don't have doors or windows in the first place.

ogrotten avatar Aug 26 '23 18:08 ogrotten

Thanks for that feedback, really valuable to us! And to answer for the v1 docs, i think there's only this https://tauri.app/v1/references/architecture/process-model#the-core-process which is at least something we could've linked to...

FabianLars avatar Aug 29 '23 08:08 FabianLars

if you just want access any path files, and don't care whatever "security", refer this what provide by chatgpt.

set scope all in src-tauri/tauri.conf.json:

{
 "tauri": {
    "allowlist": {
      "fs": {
        "scope": ["**"],
        "all": true,
      }
    },
  }
}

add some rust code in src-tauri/src/main.rs:

fn main() {
  tauri::Builder::default()
    // add next line
    .invoke_handler(tauri::generate_handler![read_file, read_dir])
    .run(tauri::generate_context!())
    .expect("error while running tauri application");
}

#[tauri::command]
async fn read_file(path: std::path::PathBuf) -> Result<Vec<u8>, String> {
  match std::fs::read(path) {
      Ok(data) => Ok(data),
      Err(err) => Err(format!("Failed to read file: {}", err)),
  }
}

#[tauri::command]
async fn read_dir(path: std::path::PathBuf) -> Result<Vec<std::path::PathBuf>, String> {
  match std::fs::read_dir(&path) {
      Ok(entries) => {
          let paths: Vec<std::path::PathBuf> = entries
              .filter_map(|entry| {
                  entry.ok().map(|dir_entry| dir_entry.path())
              })
              .collect();
          Ok(paths)
      }
      Err(err) => Err(format!("Failed to read directory: {}", err)),
  }
}

then you can in js call it like:

async function read_file() {
    await invoke('read_file', { path: 'E:\\Download\\test.txt' })
      .then((response) => {
        const content = new TextDecoder().decode(new Uint8Array(response));
        console.log(content);
      }).catch((err) => {
        console.error(err);
      });
  }

async function read_dir() {
  await invoke('read_dir', { path: 'E:\\Download' })
    .then((response) => {
      console.log(response);
    }).catch((err) => {
      console.error(err);
    });
}

i tested, this can correct run you want.

Mesimpler avatar Sep 05 '23 07:09 Mesimpler

set scope all in src-tauri/tauri.conf.json:

{
 "tauri": {
    "allowlist": {
      "fs": {
        "scope": ["**"],
        "all": true,
      }
    },
  }
}

Just this one step is enough.

AuTa avatar Jan 23 '24 10:01 AuTa