How do I give a CGI script permission to access Calendar?
When I run my script from the command line I can use - am actually prompted to use - System Preferences to add ssh-keygen-wrapper
to be authorised to access the Calendar.
But when I run the script as a CGI program it is not authorised to access the Calendar - it is running as nobody
and fails - and I don't know how to give the CGI-invoked script required permission.
A related question is even whether I should as giving nobody
access to Calendar ... but that's a separate issue.
[FYI]
macOS High Sierra
Python CGI script using an AppleScript to read Calendar events
Solution 1:
The nobody user is non-interactive and doesn’t have calendars anyways. You will need to have some component (maybe another custom app/process) running as you to deliver the calendar info.
You really have two options, one of which is very bad.
Firstly, you could have your CGI scripts run as you. This isn’t hard but super dangerous and not recommended.
Secondly, you can build what is essentially a calendar proxy. This could be another program (running as you) which ever five minutes reads the calendar data and writes it out to a file which nobody, the account, can read. You already seem to be familiar and working just fine with calendars so this shouldn’t be an issue, it’s just another script that you schedule with cron.
Another thing, though I’m really not sure if it will work for nobody, is that you can run sudo su nobody
and then launch it. Since OSX knows that the PTTY is attached to your user session it will show the prompt there for you to accept. While you still won’t be able to access your users calendars, this trick is useful if you have to use these sorts of permissions as root whom also doesn’t a graphical session.
Solution 2:
Of course @Sirens points out the obvious flaw in my approach. I had used the AppleScript as an easy way to access the Calendars available at the command line of the user I was logged in as but, of course, were not available to nobody.
I gratefully considered @Siren's answer and agreed with him that my approach was basically unsound and a workaround was either too dangerous or ungainly to consider pursuing further.
I hope this constitutes an answer - useful to anyone who also took this wrong turning - since it seems obvious to pursue a better informed tack using available Python libraries to build a CGI script where I (and nobody) can explicitly provide the Calendar with client credentials independently of the user or machine running the script.
I have used caldav as a proof of concept but found a few issues in doing so, so am now looking at Apple's CalDAVClientLibrary which looks to be a bit more comprehensive.