Sheep Systems

If an application needs to perform an task for which its user does not have sufficient privileges and needs authorization, I call this task is called a "Authorized Task".  (BookMacster uses this code for one task, which is to allow non-admin users to write their License Information to the "anyUser" /System/Preferences.)  Apple's developer documentation has a lot to say about how applications should perform authorized tasks while maintaining system security.  Prior to late 2007, the recommended example of how to implement these recommendations was provided in Apple's MoreAuthSample sample code.  

MoreAuthSample was replaced by BetterAuthorizationSample [1] in late 2007.  I was hoping that it would be easier to incorporate into a project than MoreAuthSample.  But I still found a steep learning curve, partly due to the partitioning that must be done to maintain security up to Apple's high standards, but largely due to idioms in the top-layer demo app which are "un-Cocoa-like".  I started keeping a list of things I didn't like, but after a dozen items, with still alot to learn, I decided to improve upon it instead of publishing a rant.  This project is the result.

I only touched the Demo App and the Helper Tool, which you have touch anyhow.  This project uses the three "Reuseable Library" files from Apple's BetterAuthorizationSample without any modifications, so that if Apple updates these files you can just plug in the new versions.  There are a few things in the Reuseable Library that I'd like to change too, but so far I've resisted that temptation.  The Helper Tool has been partitioned into files systematically so that you can build your own Helper Tool Target to do just the tasks you need by including required files, instead of hacking the demo.  Also, the re-useable code in the demo app has been partitioned off into a framework that you simply add to your application.   (As usual, to add a framework, you add to linked files, add dependency, add to Copy Files.)

AuthorizedTasksInCocoa does all the same things as the demo app in BetterAuthorizationSample, with one exception.  It does not present an NSAlert panel before installing the "BAS" helper tool.  I don't think there is any need for that, because there is no reason why the user would not want it installed, other than the fact that they don't know what "BAS" means and get mad at your app for asking the question.  So I omitted this code from the framework.  The installer gets installed silently when needed.  Note also that MoreAuthSample installed its helper tool silently too.

Consider this before proceeding.  Even if you are able to use the AuthorizedTasksInCocoa framework and one of the provided helper tools, this is still going to be alot of work for you.  Before proceeding, stop and think if there is any other way you can get the desired function in your app without including a privileged helper tool.  For example, say that you want to move a file that requires root access.  Says Jean-Daniel Dupas, You can also ask to the Finder to do it using AppleEvent. The Finder will ask the user its password if needed and will take care of the hard part for you.  That's smart!  Try and think outside of this box before you jump into it, remembering that your best code is the code you can weasal out of writing.  And this is not just code -- it's another framework, another target, at least two more executables added to your app's package -- the kind of stuff that often doesn't throw compiler errors -- stuff that bites in the field if you're not careful.

But if you really need to do it, and have been head-scratching over BetterAuthorizationSample, you might like this better.