On Android apps need special permissions to access certain things like the camera and microphone. When the app tries to access something that needs special permission for the first time you will prompted once and afterwards the permission can be removed again in the app settings.
For sandboxed apps on desktop as done by flatpak or snap for example the situation is similar. Such apps can’t access all systems services, instead they have to through xdg-desktop-portal which will show a dialog where the user can grant permission to the app. Unfortunately we lacked the “configure permissions” part of it which means granted permissions disappear into the void and pre-authorization is not possible.
This changes with Plasma 6.5 which will include a new settings page where you can configure application permissions!

Features

Main view showing Application Permissions
Main view showing Application Permissions

The main view after selecting an application shows all the permissions you can configure. The ones at the top are controlled by simple on/off switches and are turned on by default – applications are currently allowed to do those things by the portal frontend except when explicitly denied.

The settings that follow are a bit more interesting, you can configure if application requests to do those things or not. Additionally the “Always Ask” setting will make it so that a dialog is always shown when the app tries to take a screenshot for example. The default state for these settings after you install an app is “Ask Once”, a dialog will be shown and depending on if you click yes or no future requests are allowed or denied. The Location setting is a bit special as it allows configuring the accuracy with which the current location is fetched.

Configuring saved screen cast and remote desktop sessions
Configuring saved screen cast and remote desktop sessions

Finally you can configure screen cast and remote desktop sessions that the app is able to restore in the future. Here you can see exactly what the application is able to record and control and revoke those permissions. The Plasma specific override for remote control can also be enabled here.

A Note on Non-Sanboxed Apps and X11

For non-sandboxed (“host”) apps only a subset of settings will be shown. The reason is simple: Some portals just forward a request from the application to another service. Denying host apps access to such portals would either have no effect as they are not using the portal in the first place or can always talk to the service directly anyway. However some things such as recording screen contents or sending fake input events always require that these apps use the portal because they are simply not possible through other means so these settings will be shown. On Wayland anyway – on X11 everything can do everything. Even so these settings will also be shown on X11 if you are using an app that uses the portal to do these things.

Outlook

Of course as we implement new portals support for these will also be added here if suitable. For existing portals permission support can be added – preferably upstream. One such system is currently in development for the input capture portal. If you think there is a portal dialog that can be hooked up to a permission system which currently isn’t please file a bug report and we can investigate it.