PURPOSE
If an application needs to perform an task for which its user does not have sufficient privileges and needs authorization, I call this task is called a "Authorized Task". (BookMacster uses this code for one task, which is to allow non-admin users to write their License Information to the "anyUser" /System/Preferences.) Apple's developer documentation has a lot to say about how applications should perform authorized tasks while maintaining system security. Prior to late 2007, the recommended example of how to implement these recommendations was provided in Apple's MoreAuthSample sample code.
MoreAuthSample was replaced by BetterAuthorizationSample [1] in late 2007. I was hoping that it would be easier to incorporate into a project than MoreAuthSample. But I still found a steep learning curve, partly due to the partitioning that must be done to maintain security up to Apple's high standards, but largely due to idioms in the top-layer demo app which are "un-Cocoa-like". I started keeping a list of things I didn't like, but after a dozen items, with still alot to learn, I decided to improve upon it instead of publishing a rant. This project is the result.
I only touched the Demo App and the Helper Tool, which you have touch anyhow. This project uses the three "Reuseable Library" files from Apple's BetterAuthorizationSample without any modifications, so that if Apple updates these files you can just plug in the new versions. There are a few things in the Reuseable Library that I'd like to change too, but so far I've resisted that temptation. The Helper Tool has been partitioned into files systematically so that you can build your own Helper Tool Target to do just the tasks you need by including required files, instead of hacking the demo. Also, the re-useable code in the demo app has been partitioned off into a framework that you simply add to your application. (As usual, to add a framework, you add to linked files, add dependency, add to Copy Files.)
AuthorizedTasksInCocoa does all the same things as the demo app in BetterAuthorizationSample, with one exception. It does not present an NSAlert panel before installing the "BAS" helper tool. I don't think there is any need for that, because there is no reason why the user would not want it installed, other than the fact that they don't know what "BAS" means and get mad at your app for asking the question. So I omitted this code from the framework. The installer gets installed silently when needed. Note also that MoreAuthSample installed its helper tool silently too.
Can the Finder do it? During 2009, I had published here the advice that You can also ask to the Finder to do it using AppleEvent. The Finder will ask the user its password if needed and will take care of the hard part for you. Now, actually, if that were true, you could do anything. Example: Tell Finder to move a file out of an inaccessible directory to an accessible Temporary directory, modify it using regular non-privileged methods, then tell Finder to move it back. But it didn't work for me. Finder just failed with a generic error. Possibly, this is because Apple has tightened security in a recent Mac OS X dot release, although it doesn't make sense since authentication is required. Anyhow, since using AuthorizedTasksInCocoa is alot of work, you should at least try using Finder first. Anyhow, the next version of AuthorizedTasksInCocoa will have this file-moving capabillity.
SYSTEM REQUIREMENT
Like BetterAuthorizationSample, projects incorporating AuthorizedTasksInCocoa must be run in Mac OS 10.4.6 or later.
DOWNLOAD
Download AuthorizedTasksInCocoa (336 KB).
MORE INTERESTING READING
[1] Apple's BetterAuthorizationSample. "The real source."
[2] Apple's QA1277, which explains some tricks you might see in dealing with security credentials.
[3] Apple's Authorization Services Programming Guide.