home directory exposed

[anarcat]

This flatpak should do a better job at isolating the software from the rest of the system:

org.zotero.Zotero/org.zotero.Zotero.json

Lines 9 to 17 in 4dc4657

	"finish-args": [
	"--socket=x11",
	"--share=ipc",
	"--share=network",
	"--filesystem=home",
	"--filesystem=xdg-desktop",
	"--filesystem=xdg-documents",
	"--filesystem=xdg-download"
	],

... the use of portals for documents, desktop and downloads is great, but why do we need access to the entire $HOME directory? (And arguably, do we really need access to the other directories as well?) I understand it might be necessary to access the zotero database (say in ~/Zotero?) but in that case, shouldn't we restrict to that directory only?

It would be great to have instructions on how to secure this a little further, in any ways...

[felipehw]

Users of Zotero need access to directories where are located files that they want to attach to their Zotero items.

For example: A user has a PDF file at ~/Documents/myLovedBook.pdf, he needs access to xdg-documents to attach this file in a Zotero item ...

Usual dirs to these use cases are xdg-desktop, xdg-documents, xdg-download, and files downloaded directly at home.

I'm a bit afraid of setting very strict rules and make the average Joe suffer because he doesn't understand how to tweak sandbox. (There are critics about this Flatpak already being too much restrictive at Gnome Software reviews)

Advanced users can set this using CLI or Flatseal.

What do you think, @anarcat?

[anarcat]

Usual dirs to these use cases are xdg-desktop, xdg-documents, xdg-download, and files downloaded directly at home.
What do you think, @anarcat?

... i would argue that "files downloaded directly at home" are so rare that I don't think it's worth considering them.

really, the important bit is the zotero configuration directory, and that should be included in the defaults for sure...

[felipehw]

@anarcat

What do you think about #70 ?

[anarcat]

love it. a bit broader than what i would do personnally, but that's fine i guess.

[danielwe]

Adding a data point here: I like to set up automatic export of my library through the Better BibTeX plugin to a bib file in ~/texmf/bibtex/bib/, which is where bib files should go if you want BibTeX and related tools to pick them up automatically. I was mystified when I couldn't access this folder through Zotero's export dialog, especially since I could access many other things in the home folder.

I finally made it here and found the workaround by following the link above to #70, but it was a confusing issue to get to the bottom of---it was not obvious that flatpak was the culprit, so I didn't see the relevant flathub blurb until after I had found the solution (I had never used flatpak before I started setting up this system).

I can imagine similar issues for people who like to send attachments to a dropbox folder or similar using the Zotfile plugin. In general, people organize their files in many different ways and it seems excessively strict to restrict Zotero exports and imports to XDG directories only.