跳至内容
Tauri

命令作用域

作用域是一种细粒度的方法,用于定义 Tauri 命令的(禁止)行为。

作用域分为 allowdeny 作用域,其中 deny 总是优于 allow 作用域。

作用域类型必须是任何 serde 可序列化类型。这些类型通常是特定插件的。对于在 Tauri 应用程序中实现的具有作用域的命令,作用域类型需要在应用程序中定义,然后在其命令实现中强制执行。

例如,Fs 插件允许您使用作用域允许或禁止某些目录和文件,而 http 插件使用作用域过滤允许访问的 URL。

作用域传递给命令,处理或正确强制执行是由命令本身实现的。

示例

以下示例来自 Fs 插件权限

本插件中所有命令的作用域类型为字符串,其中包含一个与 glob 兼容的路径。

plugins/fs/permissions/autogenerated/base-directories/applocaldata.toml
[[permission]]
identifier = "scope-applocaldata-recursive"
description = '''
This scope recursive access to the complete `$APPLOCALDATA` folder,
including sub directories and files.
'''
[[permission.scope.allow]]
path = "$APPLOCALDATA/**"
plugins/fs/permissions/deny-webview-data.toml
[[permission]]
identifier = "deny-webview-data-linux"
description = '''
This denies read access to the
`$APPLOCALDATA` folder on linux as the webview data and
configuration values are stored here.
Allowing access can lead to sensitive information disclosure and
should be well considered.
'''
platforms = ["linux"]
[[scope.deny]]
path = "$APPLOCALDATA/**"
[[permission]]
identifier = "deny-webview-data-windows"
description = '''
This denies read access to the
`$APPLOCALDATA/EBWebView` folder on windows as the webview data and
configuration values are stored here.
Allowing access can lead to sensitive information disclosure and
should be well considered.
'''
platforms = ["windows"]
[[scope.deny]]
path = "$APPLOCALDATA/EBWebView/**"

上述作用域可以用来允许访问 APPLOCALDATA 文件夹,同时防止在 Windows 上访问包含敏感 webview 数据的 EBWebView 子文件夹。

这些可以合并到一个集合中,从而减少重复配置,并使任何人查看应用程序配置时更加直观。

首先,将拒绝作用域合并到 deny-default

plugins/fs/permissions/deny-default.toml
[[set]]
identifier = "deny-default"
description = '''
This denies access to dangerous Tauri relevant files and
folders by default.
'''
permissions = ["deny-webview-data-linux", "deny-webview-data-windows"]

然后合并拒绝和允许作用域

[[set]]
identifier = "scope-applocaldata-reasonable"
description = '''
This scope set allows access to the `APPLOCALDATA` folder and
subfolders except for linux,
while it denies access to dangerous Tauri relevant files and
folders by default on windows.
'''
permissions = ["scope-applocaldata-recursive", "deny-default"]

这些作用域可以作为所有命令使用,通过扩展插件的全球作用域,或者仅选择一些命令在权限中使用时与启用的命令一起使用。

APPLOCALDATA 中的文件具有合理的只读访问权可能如下所示

[[set]]
identifier = "read-files-applocaldata"
description = '''
This set allows file read access to the `APPLOCALDATA` folder and
subfolders except for linux,
while it denies access to dangerous Tauri relevant files and
folders by default on windows.'''
permissions = ["scope-applocaldata-reasonable", "allow-read-file"]

以下示例仅突出显示作用域功能本身。每个插件或应用程序开发者需要根据其使用情况考虑合理的作用域组合。


© 2025 Tauri 贡献者。CC-BY / MIT