Verifies app updates have same permissions as previously installed versions

2026-02-15 17:53:31 +01:00 · 2023-05-15 15:13:13 -05:00
parent 45ed24bfb5
commit af405d9e85
3 changed files with 80 additions and 18 deletions
--- a/Apps/AppManager.swift
+++ b/Apps/AppManager.swift
@@ -985,12 +985,18 @@ private extension AppManager
                
                switch operation
                {
-                case .install(let app), .update(let app):
-                    let installProgress = self._install(app, operation: operation, group: group) { (result) in
+                case .install(let app):
+                    let installProgress = self._install(app, operation: operation, group: group, reviewPermissions: .all) { (result) in
                        self.finish(operation, result: result, group: group, progress: progress)
                    }
                    progress?.addChild(installProgress, withPendingUnitCount: 80)
                    
+                case .update(let app):
+                    let updateProgress = self._install(app, operation: operation, group: group, reviewPermissions: .added) { (result) in
+                        self.finish(operation, result: result, group: group, progress: progress)
+                    }
+                    progress?.addChild(updateProgress, withPendingUnitCount: 80)
+                    
                case .activate(let app) where UserDefaults.standard.isLegacyDeactivationSupported: fallthrough
                case .refresh(let app):
                    // Check if backup app is installed in place of real app.
@@ -1075,7 +1081,14 @@ private extension AppManager
        return group
    }
    
-    private func _install(_ app: AppProtocol, operation appOperation: AppOperation, group: RefreshGroup, context: InstallAppOperationContext? = nil, additionalEntitlements: [ALTEntitlement: Any]? = nil, cacheApp: Bool = true, completionHandler: @escaping (Result<InstalledApp, Error>) -> Void) -> Progress
+    private func _install(_ app: AppProtocol,
+                          operation appOperation: AppOperation,
+                          group: RefreshGroup,
+                          context: InstallAppOperationContext? = nil,
+                          reviewPermissions permissionReviewMode: VerifyAppOperation.PermissionReviewMode = .none,
+                          additionalEntitlements: [ALTEntitlement: Any]? = nil,
+                          cacheApp: Bool = true,
+                          completionHandler: @escaping (Result<InstalledApp, Error>) -> Void) -> Progress
    {
        let progress = Progress.discreteProgress(totalUnitCount: 100)
        
@@ -1122,11 +1135,6 @@ private extension AppManager
            {
                let app = try result.get()
                context.app = app
-                
-                if cacheApp
-                {
-                    try FileManager.default.copyItem(at: app.fileURL, to: InstalledApp.fileURL(for: app), shouldReplace: true)
-                }
            }
            catch
            {
@@ -1137,12 +1145,21 @@ private extension AppManager
        
        
        /* Verify App */
-        let verifyOperation = VerifyAppOperation(context: context)
+        let verifyOperation = VerifyAppOperation(permissionsMode: permissionReviewMode, context: context)
        verifyOperation.resultHandler = { (result) in
-            switch result
+            do
            {
-            case .failure(let error): context.error = error
-            case .success: break
+                try result.get()
+                
+                // Wait until we've finished verifying app before caching it.
+                if let app = context.app, cacheApp
+                {
+                    try FileManager.default.copyItem(at: app.fileURL, to: InstalledApp.fileURL(for: app), shouldReplace: true)
+                }
+            }
+            catch
+            {
+                context.error = error
            }
        }
        verifyOperation.addDependency(downloadOperation)