File chooser portal: explicitly say "the app will be given access to this file"
On https://github.com/flatpak/xdg-desktop-portal-gtk/issues/429 I asked:
We seem to have this as a frequently asked question (I'm paraphrasing several user reports here):
I have a Flatpak app [which is compatible with the file chooser portal, but the user doesn't know that] and I gave it access to ~/Pictures. I can click on File -> Open... or File -> Save As... and select a file in ~/Documents. Is this a security vulnerability?
This is in fact not a vulnerability, and is the whole point of having a file chooser portal - it's asking for user consent to give the app access to the selected file, as a side-effect of asking the user which file they want - but that's not always obvious to users.
Can we stop this being reported quite so frequently by adding a line of text to the bottom of the file chooser window, maybe something like this?
The app "Recipes" will be given read/write access to the selected file.
That would also make sure the user is given the opportunity to make an informed decision.
...
A side benefit of this would be making it a bit more obvious whether an app is using sandbox-friendly file choosers that will go via the portal, or its own non-sandbox-friendly file chooser that requires the app to be given static permissions (Flatpak --filesystem or whatever is Snap's equivalent).
We have several use-cases for this which should probably have different text.
OpenFile with directory=false (default): Open an existing file (or with multiple=true, several files). Straw-man wording:
The app "Recipes" will be given read-only access to the selected file.
The app "Recipes" will be given read/write access to the selected file.
OpenFile with directory=true: Select an existing directory, which I think gives the app access to everything in that directory as well. I don't know whether multiple=true is allowed here. Straw-man wording:
The app "Recipes" will be given read/write access to /home/smcv/Documents/Example and all of its contents.
SaveFile: Select a filename for saving (not necessarily one that already exists). Straw-man wording:
The app "Recipes" will be given read/write access to the selected file.
SaveFiles: same as SaveFile, but the app provides multiple filenames, and the portal returns multiple paths to save into. I don't immediately know what access this implies (only those paths? their common directory and all of its contents?) so I'm not proposing wording for this one.
GNOME/xdg-desktop-portal-gnome> and https://github.com/flatpak/xdg-desktop-portal-gtk would both benefit from some mockups here: I expect that they could use essentially the same wording and UI presentation.