Added permissions to avatar bookmarks

interface/src/AvatarBookmarks.cpp

@@ -41,6 +41,15 @@
 #include <QtQuick/QQuickWindow>
 #include <memory>
 #include "WarningsSuppression.h"
+#include "ScriptPermissions.h"
+
+QVariantMap AvatarBookmarks::getBookmarks() {
+    if (ScriptPermissions::isCurrentScriptAllowed(ScriptPermissions::Permission::SCRIPT_PERMISSION_GET_AVATAR_URL)) {
+        return _bookmarks;
+    } else {
+        return {};
+    }
+}
 
 void addAvatarEntities(const QVariantList& avatarEntities) {
     auto nodeList = DependencyManager::get<NodeList>();
@@ -123,6 +132,12 @@ AvatarBookmarks::AvatarBookmarks() {
 }
 
 void AvatarBookmarks::addBookmark(const QString& bookmarkName) {
+    if (ScriptPermissions::isCurrentScriptAllowed(ScriptPermissions::Permission::SCRIPT_PERMISSION_GET_AVATAR_URL)) {
+        addBookmarkInternal(bookmarkName);
+    }
+}
+
+void AvatarBookmarks::addBookmarkInternal(const QString& bookmarkName) {
     if (QThread::currentThread() != thread()) {
         BLOCKING_INVOKE_METHOD(this, "addBookmark", Q_ARG(QString, bookmarkName));
         return;
@@ -134,6 +149,12 @@ void AvatarBookmarks::addBookmark(const QString& bookmarkName) {
 }
 
 void AvatarBookmarks::saveBookmark(const QString& bookmarkName) {
+    if (ScriptPermissions::isCurrentScriptAllowed(ScriptPermissions::Permission::SCRIPT_PERMISSION_GET_AVATAR_URL)) {
+        saveBookmarkInternal(bookmarkName);
+    }
+}
+
+void AvatarBookmarks::saveBookmarkInternal(const QString& bookmarkName) {
     if (QThread::currentThread() != thread()) {
         BLOCKING_INVOKE_METHOD(this, "saveBookmark", Q_ARG(QString, bookmarkName));
         return;
@@ -145,6 +166,12 @@ void AvatarBookmarks::saveBookmark(const QString& bookmarkName) {
 }
 
 void AvatarBookmarks::removeBookmark(const QString& bookmarkName) {
+    if (ScriptPermissions::isCurrentScriptAllowed(ScriptPermissions::Permission::SCRIPT_PERMISSION_GET_AVATAR_URL)) {
+        removeBookmarkInternal(bookmarkName);
+    }
+}
+
+void AvatarBookmarks::removeBookmarkInternal(const QString& bookmarkName) {
     if (QThread::currentThread() != thread()) {
         BLOCKING_INVOKE_METHOD(this, "removeBookmark", Q_ARG(QString, bookmarkName));
         return;
@@ -200,6 +227,12 @@ void AvatarBookmarks::updateAvatarEntities(const QVariantList &avatarEntities) {
  */
 
 void AvatarBookmarks::loadBookmark(const QString& bookmarkName) {
+    if (ScriptPermissions::isCurrentScriptAllowed(ScriptPermissions::Permission::SCRIPT_PERMISSION_GET_AVATAR_URL)) {
+        loadBookmarkInternal(bookmarkName);
+    }
+}
+
+void AvatarBookmarks::loadBookmarkInternal(const QString& bookmarkName) {
     if (QThread::currentThread() != thread()) {
         BLOCKING_INVOKE_METHOD(this, "loadBookmark", Q_ARG(QString, bookmarkName));
         return;
@@ -268,6 +301,15 @@ void AvatarBookmarks::readFromFile() {
 }
 
 QVariantMap AvatarBookmarks::getBookmark(const QString &bookmarkName)
+{
+    if (ScriptPermissions::isCurrentScriptAllowed(ScriptPermissions::Permission::SCRIPT_PERMISSION_GET_AVATAR_URL)) {
+        return getBookmarkInternal(bookmarkName);
+    } else {
+        return {};
+    }
+}
+
+QVariantMap AvatarBookmarks::getBookmarkInternal(const QString &bookmarkName)
 {
     if (QThread::currentThread() != thread()) {
         QVariantMap result;

interface/src/AvatarBookmarks.h

@@ -100,7 +100,7 @@ public slots:
      *     print("- " + key + " " + bookmarks[key].avatarUrl);
      * };
      */
-    QVariantMap getBookmarks() { return _bookmarks; }
+    QVariantMap getBookmarks();
 
 signals:
     /*@jsdoc
@@ -147,6 +147,11 @@ protected slots:
     void deleteBookmark() override;
 
 private:
+    QVariantMap getBookmarkInternal(const QString &bookmarkName);
+    void addBookmarkInternal(const QString& bookmarkName);
+    void saveBookmarkInternal(const QString& bookmarkName);
+    void loadBookmarkInternal(const QString& bookmarkName);
+    void removeBookmarkInternal(const QString& bookmarkName);
     const QString AVATARBOOKMARKS_FILENAME = "avatarbookmarks.json";
     const QString ENTRY_AVATAR_URL = "avatarUrl";
     const QString ENTRY_AVATAR_ICON = "avatarIcon";

libraries/script-engine/src/ScriptPermissions.cpp

@@ -46,8 +46,12 @@ bool ScriptPermissions::isCurrentScriptAllowed(ScriptPermissions::Permission per
     // Get the script manager:
     auto engine = Scriptable::engine();
     if (!engine) {
-        qDebug() << "ScriptPermissions::isCurrentScriptAllowed called outside script engine for permission: " << scriptPermissionNames[permissionIndex];
-        return false;
+        // When this happens it means that function was called from QML or C++ and should always be allowed
+        if (PERMISSIONS_DEBUG_ENABLED) {
+            qDebug() << "ScriptPermissions::isCurrentScriptAllowed called outside script engine for permission: "
+                     << scriptPermissionNames[permissionIndex];
+        }
+        return true;
     }
     auto manager = engine->manager();
     if (!manager) {
@@ -76,7 +80,7 @@ bool ScriptPermissions::isCurrentScriptAllowed(ScriptPermissions::Permission per
     }
     // Check if the script is allowed:
     QList<QString> safeURLPrefixes = { "file:///", "qrc:/", NetworkingConstants::OVERTE_COMMUNITY_APPLICATIONS,
-                                       NetworkingConstants::OVERTE_TUTORIAL_SCRIPTS/*, "about:console"*/};
+                                       NetworkingConstants::OVERTE_TUTORIAL_SCRIPTS, "about:console"};
     Setting::Handle<QString> allowedURLsSetting(scriptPermissionSettingKeyNames[permissionIndex]);
     QList<QString> allowedURLs = allowedURLsSetting.get().split("\n");