configuring-tauri-permissions
53
总安装量
53
周安装量
#4019
全站排名
安装命令
npx skills add https://github.com/dchuk/claude-code-tauri-skills --skill configuring-tauri-permissions
Agent 安装分布
gemini-cli
41
opencode
41
claude-code
37
antigravity
35
github-copilot
31
Skill 文档
Tauri Permissions Configuration
This skill covers the Tauri v2 permission system for controlling frontend access to backend commands and system resources.
Permission System Overview
Permissions in Tauri are explicit privileges that grant or deny access to specific commands. They form the security boundary between frontend code and system resources.
Core Components
| Component | Purpose |
|---|---|
| Permission | Defines access to specific commands |
| Scope | Restricts commands to specific paths/resources |
| Capability | Links permissions to windows/webviews |
| Identifier | Unique name referencing a permission |
Security Model
- Frontend code cannot access commands without explicit permission
- Deny rules always take precedence over allow rules
- Permissions must be linked to capabilities to be active
- Each window/webview can have different permissions
Permission Identifiers
Naming Convention
Format: <plugin-name>:<permission-type>
| Pattern | Example | Description |
|---|---|---|
<name>:default |
fs:default |
Default permission set |
<name>:allow-<command> |
fs:allow-read-file |
Allow specific command |
<name>:deny-<command> |
fs:deny-write-file |
Deny specific command |
<name>:allow-<scope> |
fs:allow-app-read |
Allow with predefined scope |
Identifier Rules
- Lowercase ASCII letters only:
[a-z] - Maximum length: 116 characters
- Plugin prefixes (
tauri-plugin-) added automatically at compile time
Directory Structure
Application Structure
src-tauri/
âââ capabilities/
â âââ default.json # Main capability file
â âââ admin.toml # Additional capabilities
âââ permissions/
â âââ custom-permission.toml # Custom app permissions
âââ tauri.conf.json
Plugin Structure
tauri-plugin-example/
âââ permissions/
â âââ default.toml # Default permission set
â âââ autogenerated/ # Auto-generated from commands
â â âââ commands/
â âââ custom-scope.toml # Custom scopes
âââ src/
âââ commands.rs
âââ build.rs
Capability Configuration
Capabilities link permissions to windows and define what frontend contexts can access.
JSON Format (Recommended for Apps)
{
"$schema": "../gen/schemas/desktop-schema.json",
"identifier": "main-capability",
"description": "Main window permissions",
"windows": ["main"],
"permissions": [
"core:default",
"fs:default",
"fs:allow-read-text-file",
{
"identifier": "fs:allow-write-text-file",
"allow": [{ "path": "$APPDATA/*" }]
}
]
}
TOML Format
"$schema" = "../gen/schemas/desktop-schema.json"
identifier = "main-capability"
description = "Main window permissions"
windows = ["main"]
permissions = [
"core:default",
"fs:default",
"fs:allow-read-text-file"
]
[[permissions]]
identifier = "fs:allow-write-text-file"
allow = [{ path = "$APPDATA/*" }]
Window Targeting
{
"identifier": "admin-capability",
"windows": ["admin", "settings"],
"permissions": ["fs:allow-write-all"]
}
Use "*" to target all windows:
{
"windows": ["*"],
"permissions": ["core:default"]
}
Platform-Specific Capabilities
{
"identifier": "desktop-capability",
"platforms": ["linux", "macOS", "windows"],
"windows": ["main"],
"permissions": ["fs:allow-app-read-recursive"]
}
{
"identifier": "mobile-capability",
"platforms": ["iOS", "android"],
"windows": ["main"],
"permissions": ["fs:allow-app-read"]
}
Allow and Deny Lists
Basic Scope Configuration
{
"identifier": "fs:allow-read-file",
"allow": [
{ "path": "$HOME/Documents/*" },
{ "path": "$APPDATA/**" }
],
"deny": [
{ "path": "$HOME/Documents/secrets/*" }
]
}
Scope Variables
| Variable | Description |
|---|---|
$APP |
Application install directory |
$APPCONFIG |
App config directory |
$APPDATA |
App data directory |
$APPLOCALDATA |
App local data directory |
$APPCACHE |
App cache directory |
$APPLOG |
App log directory |
$HOME |
User home directory |
$DESKTOP |
Desktop directory |
$DOCUMENT |
Documents directory |
$DOWNLOAD |
Downloads directory |
$RESOURCE |
App resource directory |
$TEMP |
Temporary directory |
Glob Patterns
| Pattern | Matches |
|---|---|
* |
Any file in directory |
** |
Recursive (all subdirectories) |
*.txt |
Files with .txt extension |
Deny Precedence
Deny rules always override allow rules:
{
"permissions": [
{
"identifier": "fs:allow-read-file",
"allow": [{ "path": "$HOME/**" }],
"deny": [{ "path": "$HOME/.ssh/**" }]
}
]
}
Plugin Permissions
Using Default Plugin Permissions
{
"permissions": [
"fs:default",
"shell:default",
"http:default",
"dialog:default"
]
}
Common Plugin Permission Patterns
Filesystem Plugin
{
"permissions": [
"fs:default",
"fs:allow-read-text-file",
"fs:allow-write-text-file",
"fs:allow-app-read-recursive",
"fs:allow-app-write-recursive",
"fs:deny-default"
]
}
HTTP Plugin
{
"permissions": [
"http:default",
{
"identifier": "http:default",
"allow": [{ "url": "https://api.example.com/*" }],
"deny": [{ "url": "https://api.example.com/admin/*" }]
}
]
}
Shell Plugin
{
"permissions": [
"shell:allow-open",
{
"identifier": "shell:allow-execute",
"allow": [
{ "name": "git", "cmd": "git", "args": true }
]
}
]
}
Directory-Specific Filesystem Permissions
| Permission | Access |
|---|---|
fs:allow-appdata-read |
Read $APPDATA (non-recursive) |
fs:allow-appdata-read-recursive |
Read $APPDATA (recursive) |
fs:allow-appdata-write |
Write $APPDATA (non-recursive) |
fs:allow-appdata-write-recursive |
Write $APPDATA (recursive) |
fs:allow-home-read-recursive |
Read $HOME (recursive) |
fs:allow-temp-write |
Write to temp directory |
Custom Permission Definition
TOML Permission File
Create src-tauri/permissions/my-permission.toml:
[[permission]]
identifier = "my-app:config-access"
description = "Access to app configuration files"
commands.allow = ["read_config", "write_config"]
[[scope.allow]]
path = "$APPCONFIG/*"
[[scope.deny]]
path = "$APPCONFIG/secrets.json"
Permission Sets
Group multiple permissions:
[[set]]
identifier = "my-app:full-access"
description = "Full application access"
permissions = [
"my-app:config-access",
"fs:allow-app-read-recursive",
"fs:allow-app-write-recursive"
]
Auto-Generated Command Permissions
In plugin src/build.rs:
const COMMANDS: &[&str] = &["get_user", "save_user", "delete_user"];
fn main() {
tauri_plugin::Builder::new(COMMANDS)
.build();
}
This generates:
allow-get-user/deny-get-userallow-save-user/deny-save-userallow-delete-user/deny-delete-user
Default Permission Set
Create permissions/default.toml:
[default]
description = "Default permissions for my-plugin"
permissions = [
"allow-get-user",
"allow-save-user"
]
Remote Access Configuration
Allow remote URLs to access Tauri APIs (use with caution):
{
"identifier": "remote-capability",
"windows": ["main"],
"remote": {
"urls": ["https://*.myapp.com"]
},
"permissions": [
"core:default"
]
}
Security Warning: Linux and Android cannot distinguish iframe requests from window requests.
Configuration in tauri.conf.json
Reference capabilities by identifier:
{
"app": {
"security": {
"capabilities": ["main-capability", "admin-capability"]
}
}
}
Or inline capabilities directly:
{
"app": {
"security": {
"capabilities": [
{
"identifier": "inline-capability",
"windows": ["*"],
"permissions": ["core:default"]
}
]
}
}
}
Troubleshooting
Common Errors
“Not allowed on this command”
- Verify command permission is in capability
- Check scope includes the target path
- Ensure capability targets correct window
Permission not found
- Check identifier spelling (lowercase only)
- Verify plugin is installed
- Run
cargo buildto regenerate permissions
Debugging Permissions
- Check generated schema:
src-tauri/gen/schemas/ - Review capability files load correctly
- Verify window names match capability targets
- Check deny rules are not blocking access
Best Practices
- Principle of Least Privilege: Only grant permissions actually needed
- Use Specific Scopes: Prefer
$APPDATA/*over$HOME/** - Deny Sensitive Paths: Always deny access to
.ssh, credentials, etc. - Separate Capabilities: Use different capabilities for different window types
- Document Custom Permissions: Include clear descriptions
- Review Plugin Defaults: Understand what default permissions grant
- Platform-Specific Config: Use platform targeting for OS-specific needs