Per-file permission system

[ferdinandkeller]

Right now, when you deno run a script with some permission, every bit of code in the executable has the permission. It would be great if it could optionally be assigned on a per-file & per dependency basis.

For example maybe I want my main code to have access to some environment variable, but not all my dependencies should be able to read them. Same thing for internet access or whatever.

Now the big question is how to handle recursive dependencies permissions (depA imports depB, and depA needs some permission, but doesn't need depB to inherit it). One way could be to have a special file that can be imported and that would describe which permission each import has access to.

Maybe there should also be a way to control permissions inside a file itself, meaning giving different permissions to different code blocks, because if we compress multiple dependencies together into a single file then what I said earlier can't be used anymore.

The biggest problem I have is how to make everything compatible with classical typescript (ie not introducing new random syntax).

Anyway this is my first time using github discussions, so I hope I am using it right.

[Ciantic]

I think there is a technical problem to do it that granularly, it could be done at worker level. E.g. some worker has access but other doesn't.

I do support the idea, this usually rises up in Hacker News for instance when people talk about Deno. But it can't be easily done otherwise it would.

[ghost]

You can't really handle per-module ... anything. Functions don't know what file they were called from, full stop.

Anyways, let's assume that functions could read the caller context, and determine the file name.
Given two modules a.mjs and b.mjs, if you wanted to prevent a.mjs from reading file.txt, one could simply perform the operation from a different module.

// a.mjs
// this isn't allowed!
async function read_prohibited_files(file_name) {
 ...
 const file = await Deno.open(file_name);
 const data = await file.readAll(...);
 ...
}

export { read_prohibited_files };

// b.mjs

import { read_prohibited_files } from "./a.mjs";

// Oh no! {a.mjs} read {prohibited_file_path}, because this function was called from a different file
read_prohibited_files(prohibited_file_path);

Such restrictions can be rather trivially broken, and shouldn't be relied on for security; it is far safer to enforce permissions on a per-context basis - which is what Deno currently does.