I can't figure out how to give iCanHazShortcut permission to automate Chrome

Question

I can't figure out how to give iCanHazShortcut permission to automate Chrome

rdhyee opened this issue 5 years ago · 16 comments

I'm trying to configure iCanHazShortcut to run a script that accesses Chrome via AppleScript (wrapped in Python) but am running into a

aem.aemsend.EventError: Command failed: The user has declined permission. (-1743)

error. More fully, the error report is

[stderr]
Traceback (most recent call last):
  File "/Users/raymondyee/C/src/my_conda_envs/myenv5/.venv/lib/python3.7/site-packages/aeosa/appscript/reference.py", line 482, in __call__
    return self.AS_appdata.target().event(self._code, params, atts, codecs=self.AS_appdata).send(timeout, sendflags)
  File "/Users/raymondyee/C/src/my_conda_envs/myenv5/.venv/lib/python3.7/site-packages/aeosa/aem/aemsend.py", line 92, in send
    raise EventError(errornum, errormsg, eventresult)
aem.aemsend.EventError: Command failed: The user has declined permission. (-1743)
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
  File "/Users/raymondyee/bin/chrome_tabs_to_clipboard.py", line 10, in <module>
    for w in gc.windows():
  File "/Users/raymondyee/C/src/my_conda_envs/myenv5/.venv/lib/python3.7/site-packages/aeosa/appscript/reference.py", line 664, in __call__
    return self.get(*args, **kargs)
  File "/Users/raymondyee/C/src/my_conda_envs/myenv5/.venv/lib/python3.7/site-packages/aeosa/appscript/reference.py", line 518, in __call__
    raise CommandError(self, (args, kargs), e, self.AS_appdata) from e
appscript.reference.CommandError: Command failed:
		OSERROR: -1743
		MESSAGE: The user has declined permission.
		COMMAND: app('/Applications/Google Chrome.app').windows.get()


Action executed successfully!

I don't ever remember getting prompted to give iCanHazShortcut permission to access Chrome, and I'm pretty sure that I would have said yes. I can't seem to set that situation right to give the right permissions now.

My setup:

iCanHazShortcut 1.0.1
MacOS Mojave 10.14.3

I've reset System Preferences -> Security & Privacy -> Automation with

tccutil reset AppleEvents

but still get the same problem.

Thanks in advance for any help! (and thanks for iCanHazShortcut in the first place)

Answer 1 · 2019-03-28T13:07:40.000Z

Hello. Please create a shortcut with this command:
osascript -e 'tell application "Google Chrome" to open location "http://google.com"'

Does it work for you?

Answer 2 · 2019-03-28T22:31:37.000Z

@deseven -- yes that does work for me. Hmmm.

Answer 3 · 2019-03-28T22:34:49.000Z

Then i guess it has nothing to do with iCHS itself. Still, have you tried to launch your python script/program manually (e.g. from terminal)? Does it work that way?

Answer 4 · 2019-03-29T11:27:00.000Z

Okay, i did some tests, apparently this is related to #26 (which is fixed, but not released yet). I've built fixed version for you, you can download it here.

Or, if you're not in a hurry, just wait for a 1.1 release, i was hoping to finish it in a week or two.

Answer 5 · 2019-03-29T15:57:12.000Z

Thanks @deseven for your fix. I'll take a look at it. BTW, you may have figured it out -- but my Python script does work from the terminal, making me think that the permission issue was related to iCHS.

Answer 6 · 2019-03-29T17:27:36.000Z

It is related after all, i was wrong.

It's more like a feature than a bug though, current version spawns non-interactive shell and that's why you don't get that permission request. Invoking a shell with -l or -i param helps, but there is no way to add that in current version of iCHS. That's why the coming version 1.1 supports explicit declaration which shell you run and with which params.

Please report if that test build works for you when you can.

Answer 7 · 2019-03-29T17:30:53.000Z

@MEGADR01D you can check out the new test version too if you want.

Answer 8 · 2019-03-29T19:28:20.000Z

@deseven Thanks. Downloaded, will try later and report back.

Answer 9 · 2019-03-29T23:09:14.000Z

@deseven Thanks, dev version is working great. With the -l flag I no longer need to declare the full path to my scripts or to dependencies inside the scripts, as long as they're all present in my $PATH.

Small glitch on the Preferences window, tho. Open Preferences from the menubar, switch to Shortcuts and edit a shortcut (pencil icon or double click).

Looking forward to the next release. Awesome job.

Answer 10 · 2019-03-30T18:52:59.000Z

Alas, the new version still doesn't work for me.

I reset my macOS privacy settings (with tccutil reset All) and when I came to run my script on iTerm, I got prompted to give permission:

yet when I go to test my script in iCHS, I still get the same error (with no prompt to give permission). It seems that somehow I must have said no at some point to iCHS in the past and can't figure out how to reset that decision so that I can be given a chance to say yes this time.

The script in question is:

#!/Users/raymondyee/C/src/my_conda_envs/myenv5/.venv/bin/python

from appscript import app, k, its
import pyperclip

gc = app("Google Chrome")

links = []

for w in gc.windows():
    for (i, tab) in enumerate(w.tabs()):
        links.append('[{}]({})'.format(tab.title(), tab.URL()))

links_md = "* " + "\n* ".join(links)        
pyperclip.copy(links_md)

Answer 11 · 2019-03-30T19:58:39.000Z

Ok, i'll try your script tomorrow.

I tested it before with a very simple example:

from appscript import *

app('Finder').home.folders.name.get()

And it asks for a permission correctly if i run it as python script.py in Terminal or iCHS.

Answer 12 · 2019-03-30T21:01:26.000Z

I tried the simple script that you included here but unfortunately getting the same error in iCHS:

Action: /Users/raymondyee/bin/ichs_test.py
Shell: /bin/bash -l
Exit code: 1

[stderr]
Traceback (most recent call last):
  File "/Users/raymondyee/C/src/my_conda_envs/myenv5/.venv/lib/python3.7/site-packages/aeosa/appscript/reference.py", line 482, in __call__
    return self.AS_appdata.target().event(self._code, params, atts, codecs=self.AS_appdata).send(timeout, sendflags)
  File "/Users/raymondyee/C/src/my_conda_envs/myenv5/.venv/lib/python3.7/site-packages/aeosa/aem/aemsend.py", line 92, in send
    raise EventError(errornum, errormsg, eventresult)
aem.aemsend.EventError: Command failed: The user has declined permission. (-1743)
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
  File "/Users/raymondyee/bin/ichs_test.py", line 5, in <module>
    app('Finder').home.folders.name.get()
  File "/Users/raymondyee/C/src/my_conda_envs/myenv5/.venv/lib/python3.7/site-packages/aeosa/appscript/reference.py", line 518, in __call__
    raise CommandError(self, (args, kargs), e, self.AS_appdata) from e
appscript.reference.CommandError: Command failed:
		OSERROR: -1743
		MESSAGE: The user has declined permission.
		COMMAND: app('/System/Library/CoreServices/Finder.app').home.folders.name.get()

I might have try this on another account or another Mac.

Answer 13 · 2019-03-30T21:03:13.000Z

I don't have much of an understanding of Mojave permission systems but macOS Mojave gets new APIs around AppleEvent sandboxing – but AEpocalypse still looms seems to talk about issues related to the problem I've been experiencing.

Answer 14 · 2019-03-30T23:08:47.000Z

Oh, thanks, your link helped a lot! So this is another security "feature" from Apple that doesn't make any sense (since you can control any app without any permissions using osascript). Good to know.

I've added that NSAppleEventsUsageDescription key and tried your script, it works fine now. It worked for me before because i ran iCHS from the IDE and apparently parent process defines this behavior.

Please re-download the test version to check if it works for you now.

Answer 15 · 2019-03-31T06:44:04.000Z

@deseven Now it works fine -- thank you so much! Yeah, I really don't understand Apple's security restriction here either.

Answer 16 · 2019-03-31T10:53:56.000Z

Great! I'm closing this then.