Skip to content
Tauri

Using Plugin Permissions

The goal of this exercise is to get a better understanding on how plugin permissions can be enabled or disabled, where they are described and how to use default permissions of plugins.

At the end you will have the ability to find and use permissions of arbitrary plugins and understand how to custom tailor existing permissions. You will have an example Tauri application where a plugin and plugin specific permissions are used.

  1. Create your Tauri application. In our example we will facilitate create-tauri-app:

    sh <(curl https://create.tauri.app/sh)

    We will proceed in this step-by-step explanation with pnpm but you can choose another package manager and replace it in the commands accordingly.

  2. To search for existing plugins you can use multiple resources.

    The most straight forward way would be to check out if your plugin is already in the Plugins section of the documentation and therefore part of Tauri’s maintained plugin set. The Filesystem plugin is part of the Tauri plugin workspace and you can add it to your project by following the instructions.

    If the plugin is part of the community effort you can most likely find it on crates.io when searching for tauri-plugin-<your plugin name>.

  3. Each plugin has a default permission set, which contains all permissions and scopes to use the plugin out of the box with a reasonable minimal feature set.

    In the case of official maintained plugins you can find a rendered description in the documentation (eg. fs default).

    In case you are figuring this out for a community plugin you need to check out the source code of the plugin. This should be defined in your-plugin/permissions/default.toml.

  4. This step is all about finding the permissions you need to for your commands to be exposed to the frontend with the minimal access to your system.

    The fs plugin has autogenerated permissions which will disable or enable individual commands and allow or disable global scopes.

    These can be found in the documentation or in the source code of the plugin (fs/permissions/autogenerated).

    Let us assume we want to enable writing to a text file test.txt located in the users $HOME folder.

    For this we would search in the autogenerated permissions for a permission to enable writing to text files like allow-write-text-file and then for a scope which would allow us to access the $HOME/test.txt file.

    We need to add these to our capabilities section in our src-tauri/tauri.conf.json or in a file in the src-tauri/capabilities/ folder. By default there is already a capability in src-tauri/capabilities/default.json we can modify.

    Since there are only autogenerated scopes in the fs plugin to access the full $HOME folder, we need to configure our own scope. This scope should be only enabled for the write-text-file command and should only expose our test.txt file.

  5. After we have added the necessary permission we want to confirm that our application can access the file and write it’s content.


© 2024 Tauri Contributors. CC-BY / MIT