|
|
|
|
|
|
by lifthrasiir
3644 days ago
|
|
|
The mix of the grandparent's and your options might give a very streamlined UX: the app is always given the full permission which is but only simulated by default, and any actual access the user is noted of that with a non-modal message box, where one can turn the simulation on or off. Some permissions (e.g. storage access) may not be hard to generalize like this, but it may work for other permissions like GPS and so on. |
|
|
In fact doing it this way would be very bad.
In sandbox model it’s usually the container that owns the file selection ui, perhaps accepting some plugins etc. from the client. The client is never granted permissions to see outside the sandbox. Pretend mode in this context would result in requesting unnecessarily broad access.
IMO for things like location the only way to do it both in user-friendly and privacy-friendly way requires a capabilities system. When an app is given privacy-sensitive data it shouldn’t be simultaneously granted any permissions that allow this data to be leaked.