Deno: List all required permissions at once

Permissions are are queried during runtime so there's really no way to do that.

However, before #3296 we had this behavior that prompted user user about permissions in terminal instead of throwing error, I really wish it's brought back under --prompt flag.

@ry thoughts?

For deno test, in std, the permissions could be asserted prior to beginning the tests.
Similarly for anyone writing their own script.

For deno test, in std, the permissions could be asserted prior to beginning the tests.
Similarly for anyone writing their own script.

@hayd can you elaborate?

@isAdrisal, as @hayd pointed out, the deno test is special here but this may be a problem for programs other than tests so it may be worth to think about.

I see two ways to write a program that doesn't suffer from the delayed exception:

1. With the current API:
   
   
   
   • If my program needs to read an env var some time later, I can move it to the beginning of the program to make it fail fast.
   
   
   • If it needs to write a file later then I cannot move it to the beginning because at that point I may have nothing to write, but I can try to open a file for writing and make it fail fast if I have no permissions.
   
   
2. With a new API to test for permissions:
   
   
   
   • For every operation that needs some permission there could be a way to test for having that permission.
   
   

E.g.

assert.allowWrite('/tmp'); // throws just like writing
// but with no need to write a dummy file just to see if it can

test.allowWrite('/tmp'); // returns boolean

It would also help in case when there is --prompt because it's more convenient to be asked about the permissions instantly than 30 seconds later, especially when I start a program, see that it's busy and go for a coffee only to find out 10 minutes later that it got stuck after 30 seconds.

By the way, as for the permissions for deno test, it always concerns me that it asks for --allow-write while I believe it only needs --allow-write=. or even --allow-write=./one-file

By the way, as for the permissions for deno test, it always concerns me that it asks for --allow-write while I believe it only needs --allow-write=. or even --allow-write=./one-file

👍 feel free to open issue for that, it's because of a hack I used in test runner, might be possible to remove it

Thanks for the detailed explanations!

@rsp I've had a brief play with the current permissions.request() api using examples from #3296. Including something like this at the beginning of a script provides instant prompts in the terminal for the required permissions. Is this similar to what you meant in your first scenario?

const requestPerms = async (perms) => {
  for (const perm of perms) {
    await Deno.permissions.request({ name: perm });
  };
};

requestPerms(["read", "write"]);

@bartlomieju This api provides fairly nice user prompts. Would it be possible to implement something similar in deno test?

@bartlomieju I didn't know it was your hack - I thought it was quite clever when I discovered what's going on after I saw the .deno.test.ts file flashing.

I just faced the frustration of:

deno test/test_test.ts > run again with the --allow-env flag
deno test test/test_test.ts --allow-env > run again with the --allow-write flag
deno test test/test_test.ts --allow-env --allow-write flag > run again with the --allow-net flag
deno test test/test_test.ts --allow-env --allow-write --allow-net flag > Uncaught PermissionDenied: run again with the --allow-run flag

There was no long delay like the OP reported, but It is bordering on unusable like this. I hope a solution can be found. . Thanks.

@David-Else actually not only a single message would be nice but also those wide privileges are most likely not needed at all. I'm sure it doesn't need --allow-write to the entire filesystem, but when we grant it that then any mistake in the script could potentially corrupt all your data.

When I got a series of those "run again" messages, my first wishes were:

• tell about all privileges at once
• tell me specific --allow-write=x instead of all-powerful --allow-write and --allow-run
• tell me what line of code needs it, so I can review it myself (first time I saw a program asking me for basically full access to all my data just to run tests, I thought that it might be some malicious code and didn't run it as it asked me before digging into the code)

We can't know about permissions required by code that hasn't run yet. User code needs to use Deno.permissions.query() to assert all required privileges ahead of time, as @hayd suggested.

We should provide a convenience function to do this: assert a set of permissions and provide a complete error message specifying all that aren't met.

If we could do something like this:

await Deno.permissions.request(['one', 'two']);

... then a program could more easily request all of its permissions up front and it would be possible to display only a single prompt.

Something like that might make sense in std asserts.ts?

This:

await Deno.permissions.request(['one', 'two']);

Looks similar to:

await navigator.permissions.requestAll(...);

using the Web Permissions API. Maybe it would be a good idea to have a similar API with:

• navigator.permissions.query()
• navigator.permissions.request()
• navigator.permissions.requestAll()

See:

• https://developer.mozilla.org/en-US/docs/Web/API/Permissions_API
• https://developer.mozilla.org/en-US/docs/Web/API/Permissions/query
• w3c/permissions#191
• w3c/sensors#388
• https://w3c.github.io/permissions/
• https://caniuse.com/#search=Permissions

Closed in #4258. An std module exists for this now. --prompt discussion is tracked in #3811. deno test no longer requires technical permissions.