Prevent original files from OS X app's sandbox container to be modified via drag and drop or Share Extensions?

Question

I have a shoebox type (as opposed to document based) OS X app that stores images in the app's sandbox container.

These images can be shared via Share Extensions (in form of a NSURL) or exported via drag and drop.

When an image is shared to an image editor (e.g. Acorn offers a Share Extension), or dropped on an image editor, the image editor opens the file from within my sandbox container and can now alter, rename or delete this file - which can lead to all kinds of inconstancies in my app.

First, I was surprised, because I thought, files in the sandbox can only be accessed by the app itself. But it seems this is not the case, when I intentionally share the NSURL.

So how can I prevent that someone can alter files in my sandbox container while still offering them for drag and drop and to Share Extensions?

• I tried not sharing NSURLs but NSImages, but many Share Extensions do not work with NSImages, so this is not a good option.
• Is it a possibility to write-protect the files in the sandbox?
• Should I always make a copy of an image to a temporary location, before I offer it for sharing or drag and drop (could be slow for big images?)

I am happy to hear your suggestions or learn more about the problem.

Answer 1

Create a bookmark of the NSURL.

So the user can still rename, move and delete the file, but you notice it and know the new location and name and still are able to access the file. Should work even if it's outside your sandbox. So you can handle this. https://developer.apple.com/library/mac/documentation/Cocoa/Reference/Foundation/Classes/NSURL_Class/

That's one of the benefits working with NSURL and not with a simple path string.