ubuntu-phone team mailing list archive

[Alberto Mardegan <alberto.mardegan@xxxxxxxxxxxxx>]

On 10/02/2014 01:22 PM, James Henstridge wrote:
> I don't know the exact details of the scope Chris ran into this with,
> but I am curious about how this ACL is being checked.  I do know that
> Chris's scopes are Click packaged, so they will be running with an
> AppArmor profile name of the form "$packagename_$scopename_$version",
> even if that profile is equivalent to "unconfined".  Is that going to
> pass this ACL check?

Mmm... this is interesting. So, regardless of the contents of the
profile, OA will see the app as "$packagename_$scopename_$version", and
it will let it access the desired account only if
"$packagename_$scopename_*" is present in the account's ACL.

> I'd imagine the same issue is going to affect any application that
> uses Click packaging too.

If you mean to say that any application that uses Click packaging can't
just access any account it wishes, that's indeed true. We have an API to
request access to an account (and I realize just now that's not listed
in developer.ubuntu.com), and that's via the "Setup" element of the
"Ubuntu.OnlineAccounts.Client 0.1" QML module.
The UI flow is described here:
https://wiki.ubuntu.com/OnlineAccounts#App_access

Scopes need to call this method as well, if they want to access the
account. IIRC, the plan was to have a scope-config tool which would do
that on their behalf.
(the other option is to go to the Accounts panel in the system settings,
click on the desired account and enable the application/scope from there)

Ciao,
  Alberto