[feat] Allow reading any file

[Sparkenstein]

Describe the problem

I am working on an application where I need to read any file from anywhere on users directory. currently we have only fixed set of configurable scopes, so the user of my application wont be able to select any file.

Describe the solution you'd like

need a way to select any file from file system. if I can only select a file from specific directory like Download or Document etc, it's not a useful desktop application. even a webapp can read any file

Alternatives considered

No response

Additional context

The application I am working on calculates hash of any file. it's a pretty straightforward use case, user selects whichever file he wants, and I calculate the hash of that file.

[FabianLars]

We are working on some kind of whitelist system for user-selected paths (dialog and file-drop).
Providing a general "read all the files you want"-option most likely won't be implemented as this behavior got introduced as a result of the audit.

Furthermore you don't have these restrictions in rust which should generally be preferred for file system interactions anyway.

[Sparkenstein]

Thank you for the response, yes I might try to implement it myself in rust.

but I am failing to understand what Tauri is achieving by implementing such feature? as you mentioned it's anyway achievable with rust so from what I see Scopes is just making tauri developers write extra code.

tauri apps are desktop apps, they are supposed to read any file. so far my entire application works just fine without a single line of rust. but just to enable reading any file I will have to write the logic myself. I hope I was able to convey my thoughts.

[nothingismagick]

We are working on a solution (see lucasfernog@bcca82e) - however the security implication is that access to ANY file is very, very much a security risk, especially if you are using any code / dependency that you didn't write yourself. Giving this kind of superpower to JS should scare you. Writing rust should not scare you. :)

[trgwii]

What plans are there to mitigate the security risks involved if you are using code / dependencies that you didn't write yourself in Rust?

[nothingismagick]

You should use the isolation pattern: https://tauri.studio/docs/architecture/patterns/isolation

You should vet your dependencies with e.g. SNYK.COM or SOCKET.DEV

You should read our Security Guidelines: https://tauri.studio/docs/development/security

[nothingismagick]

Not sure why you felt it necessary to thumbs-down the respone to @trgwii, @Sparkenstein. If you want to persist this setting (which a user should be empowered to do - and against our security recommendations) then you can use this:

https://github.com/tauri-apps/tauri-plugin-persisted-scope

[trgwii]

I feel like if they were only recommendations, there would be a scope for $ROOT. How is Rust having full FS access less of a security issue than JS having it? Is all code on crates.io audited by security professionals to not misbehave in the context of Tauri?