Move access related browser settings to database custom data

share/translations/keepassxc_en.ts

@@ -1093,11 +1093,6 @@ Do you want to overwrite the passkey in %1 - %2?</source>
         <source>Advanced</source>
         <translation type="unfinished"></translation>
     </message>
-    <message>
-        <source>Never ask before accessing credentials</source>
-        <extracomment>Credentials mean login data requested via browser extension</extracomment>
-        <translation type="unfinished"></translation>
-    </message>
     <message>
         <source>Never ask before updating credentials</source>
         <extracomment>Credentials mean login data requested via browser extension</extracomment>
@@ -1202,14 +1197,6 @@ Do you want to overwrite the passkey in %1 - %2?</source>
         <source>Select native messaging host folder location</source>
         <translation type="unfinished"></translation>
     </message>
-    <message>
-        <source>Allow keepassxc-proxy to list all entries with their title, URL and UUID in connected databases.</source>
-        <translation type="unfinished"></translation>
-    </message>
-    <message>
-        <source>Allow limited access to all entries in connected databases (ignores site access restrictions)</source>
-        <translation type="unfinished"></translation>
-    </message>
     <message>
         <source>&lt;b&gt;Warning:&lt;/b&gt; Only adjust these settings if necessary.</source>
         <translation type="unfinished"></translation>
@@ -1222,10 +1209,6 @@ Do you want to overwrite the passkey in %1 - %2?</source>
         <source>&lt;b&gt;Error:&lt;/b&gt; The custom proxy location does not exist. Correct this in the advanced settings tab.</source>
         <translation type="unfinished"></translation>
     </message>
-    <message>
-        <source>&lt;b&gt;Error:&lt;/b&gt; The installed proxy executable is missing from the expected location: %1&lt;br/&gt;Please set a custom proxy location in the advanced settings or reinstall the application.</source>
-        <translation type="unfinished"></translation>
-    </message>
     <message>
         <source>Allows using insecure http://localhost with passkeys for testing purposes.</source>
         <translation type="unfinished"></translation>
@@ -1238,6 +1221,10 @@ Do you want to overwrite the passkey in %1 - %2?</source>
         <source>KeePassXC-Browser is needed for the browser integration to work. &lt;br /&gt;Download it for %1 and %2 and %3.</source>
         <translation type="unfinished"></translation>
     </message>
+    <message>
+        <source>&lt;b&gt;Error:&lt;/b&gt; The installed proxy executable is missing from the expected location: %1&lt;br/&gt;Please set a custom proxy location in the advanced settings or reinstall the application.</source>
+        <translation type="unfinished"></translation>
+    </message>
 </context>
 <context>
     <name>CloneDialog</name>
@@ -1814,6 +1801,19 @@ This is only necessary if your database is a copy of another and the browser ext
         <source>No entry with permissions found!</source>
         <translation type="unfinished"></translation>
     </message>
+    <message>
+        <source>Never confirm before sending credentials to the extension</source>
+        <extracomment>Credentials mean login data requested via browser extension</extracomment>
+        <translation type="unfinished"></translation>
+    </message>
+    <message>
+        <source>Allow a connected program to list all entries with their title, URL and UUID regardless of individual access restrictions</source>
+        <translation type="unfinished"></translation>
+    </message>
+    <message>
+        <source>Allow limited access to all entries (may be used by third-party solutions)</source>
+        <translation type="unfinished"></translation>
+    </message>
 </context>
 <context>
     <name>DatabaseSettingsWidgetDatabaseKey</name>

src/CMakeLists.txt

@@ -25,6 +25,7 @@ set(keepassx_SOURCES
         core/Config.cpp
         core/CustomData.cpp
         core/Database.cpp
+        core/DatabaseSettings.cpp
         core/DatabaseStats.cpp
         core/Entry.cpp
         core/EntryAttachments.cpp

src/browser/BrowserAction.cpp

@@ -405,17 +405,15 @@ QJsonObject BrowserAction::handleGetDatabaseEntries(const QJsonObject& json, con
         return getErrorReply(action, ERROR_KEEPASS_INCORRECT_ACTION);
     }
 
-    if (!browserSettings()->allowGetDatabaseEntriesRequest()) {
+    bool accessDenied = true;
+    const auto entries = browserService()->getDatabaseEntries(&accessDenied);
+    if (accessDenied) {
         return getErrorReply(action, ERROR_KEEPASS_ACCESS_TO_ALL_ENTRIES_DENIED);
-    }
+    } else if (entries.isEmpty()) {
-
-    const QJsonArray entries = browserService()->getDatabaseEntries();
-    if (entries.isEmpty()) {
         return getErrorReply(action, ERROR_KEEPASS_NO_GROUPS_FOUND);
     }
 
     const Parameters params{{"entries", entries}};
-
     return buildResponse(action, browserRequest.incrementedNonce, params);
 }
 

src/browser/BrowserService.cpp

@@ -24,6 +24,7 @@
 #include "BrowserHost.h"
 #include "BrowserMessageBuilder.h"
 #include "BrowserSettings.h"
+#include "core/DatabaseSettings.h"
 #include "core/Tools.h"
 #include "core/UrlTools.h"
 #include "gui/MainWindow.h"
@@ -109,10 +110,7 @@ void BrowserService::setEnabled(bool enabled)
 
 bool BrowserService::isDatabaseOpened() const
 {
-    if (m_currentDatabaseWidget) {
+    return m_currentDatabaseWidget && !m_currentDatabaseWidget->isLocked();
-        return !m_currentDatabaseWidget->isLocked();
-    }
-    return false;
 }
 
 bool BrowserService::openDatabase(bool triggerUnlock)
@@ -121,7 +119,7 @@ bool BrowserService::openDatabase(bool triggerUnlock)
         return false;
     }
 
-    if (m_currentDatabaseWidget && !m_currentDatabaseWidget->isLocked()) {
+    if (isDatabaseOpened()) {
         return true;
     }
 
@@ -229,14 +227,26 @@ QJsonObject BrowserService::getDatabaseGroups()
     return result;
 }
 
-QJsonArray BrowserService::getDatabaseEntries()
+QJsonArray BrowserService::getDatabaseEntries(bool* accessDenied, const QSharedPointer<Database>& selectedDb)
 {
-    auto db = getDatabase();
+    if (accessDenied) {
+        *accessDenied = true;
+    }
+
+    auto db = selectedDb ? selectedDb : getDatabase();
     if (!db) {
         return {};
     }
 
-    Group* rootGroup = db->rootGroup();
+    if (!databaseSettings()->getAllowGetDatabaseEntriesRequest(db)) {
+        return {};
+    }
+
+    if (accessDenied != nullptr) {
+        *accessDenied = false;
+    }
+
+    auto* rootGroup = db->rootGroup();
     if (!rootGroup) {
         return {};
     }
@@ -360,7 +370,6 @@ BrowserService::findEntries(const EntryParameters& entryParameters, const String
         *entriesFound = false;
     }
 
-    const bool alwaysAllowAccess = browserSettings()->alwaysAllowAccess();
     const bool ignoreHttpAuth = browserSettings()->httpAuthPermission();
     const QString siteHost = QUrl(entryParameters.siteUrl).host();
     const QString formHost = QUrl(entryParameters.formUrl).host();
@@ -396,11 +405,7 @@ BrowserService::findEntries(const EntryParameters& entryParameters, const String
             continue;
 
         case Unknown:
-            if (alwaysAllowAccess) {
-                allowedEntries.append(entry);
-            } else {
             entriesToConfirm.append(entry);
-            }
             break;
 
         case Allowed:
@@ -554,6 +559,26 @@ bool BrowserService::isPasswordGeneratorRequested() const
     return m_passwordGenerator && m_passwordGenerator->isVisible();
 }
 
+bool BrowserService::getAlwaysAllowAccess()
+{
+    return databaseSettings()->getAlwaysAllowAccess(getDatabase());
+}
+
+void BrowserService::setAlwaysAllowAccess(bool enabled)
+{
+    databaseSettings()->setAlwaysAllowAccess(getDatabase(), enabled);
+}
+
+bool BrowserService::getAllowGetDatabaseEntriesRequest()
+{
+    return databaseSettings()->getAllowGetDatabaseEntriesRequest(getDatabase());
+}
+
+void BrowserService::setAllowGetDatabaseEntriesRequest(bool enabled)
+{
+    databaseSettings()->setAllowGetDatabaseEntriesRequest(getDatabase(), enabled);
+}
+
 QString BrowserService::storeKey(const QString& key)
 {
     auto db = getDatabase();
@@ -1197,6 +1222,13 @@ BrowserService::checkAccess(const Entry* entry, const QString& siteHost, const Q
         return Denied;
     }
 
+    const auto db = entry->database();
+    if (db
+        && db->metadata()->customData()->value(CustomData::OptionPrefix + DatabaseSettings::OPTION_ALWAYS_ALLOW_ACCESS)
+               == TRUE_STR) {
+        return Allowed;
+    }
+
     BrowserEntryConfig config;
     if (!config.load(entry)) {
         return Unknown;

src/browser/BrowserService.h

@@ -79,7 +79,7 @@ public:
     void lockDatabase();
 
     QJsonObject getDatabaseGroups();
-    QJsonArray getDatabaseEntries();
+    QJsonArray getDatabaseEntries(bool* accessDenied, const QSharedPointer<Database>& selectedDb = {});
     QJsonObject createNewGroup(const QString& groupName);
     QString getCurrentTotp(const QString& uuid);
     void showPasswordGenerator(const KeyPairMessage& keyPairMessage);
@@ -111,6 +111,12 @@ public:
                            const QString& userHandle,
                            const QString& privateKey);
 #endif
+
+    bool getAlwaysAllowAccess();
+    void setAlwaysAllowAccess(bool enabled);
+    bool getAllowGetDatabaseEntriesRequest();
+    void setAllowGetDatabaseEntriesRequest(bool enabled);
+
     void addEntry(const EntryParameters& entryParameters,
                   const QString& group,
                   const QString& groupUuid,

src/browser/BrowserSettings.cpp

@@ -85,16 +85,6 @@ void BrowserSettings::setMatchUrlScheme(bool matchUrlScheme)
     config()->set(Config::Browser_MatchUrlScheme, matchUrlScheme);
 }
 
-bool BrowserSettings::alwaysAllowAccess()
-{
-    return config()->get(Config::Browser_AlwaysAllowAccess).toBool();
-}
-
-void BrowserSettings::setAlwaysAllowAccess(bool alwaysAllowAccess)
-{
-    config()->set(Config::Browser_AlwaysAllowAccess, alwaysAllowAccess);
-}
-
 bool BrowserSettings::alwaysAllowUpdate()
 {
     return config()->get(Config::Browser_AlwaysAllowUpdate).toBool();
@@ -237,16 +227,6 @@ void BrowserSettings::setUpdateBinaryPath(bool enabled)
     config()->set(Config::Browser_UpdateBinaryPath, enabled);
 }
 
-bool BrowserSettings::allowGetDatabaseEntriesRequest()
-{
-    return config()->get(Config::Browser_AllowGetDatabaseEntriesRequest).toBool();
-}
-
-void BrowserSettings::setAllowGetDatabaseEntriesRequest(bool enabled)
-{
-    config()->set(Config::Browser_AllowGetDatabaseEntriesRequest, enabled);
-}
-
 bool BrowserSettings::allowExpiredCredentials()
 {
     return config()->get(Config::Browser_AllowExpiredCredentials).toBool();

src/browser/BrowserSettings.h

@@ -39,8 +39,6 @@ public:
     void setUnlockDatabase(bool unlockDatabase);
     bool matchUrlScheme();
     void setMatchUrlScheme(bool matchUrlScheme);
-    bool alwaysAllowAccess();
-    void setAlwaysAllowAccess(bool alwaysAllowAccess);
     bool alwaysAllowUpdate();
     void setAlwaysAllowUpdate(bool alwaysAllowUpdate);
     bool searchInAllDatabases();
@@ -66,8 +64,6 @@ public:
 #endif
     bool updateBinaryPath();
     void setUpdateBinaryPath(bool enabled);
-    bool allowGetDatabaseEntriesRequest();
-    void setAllowGetDatabaseEntriesRequest(bool enabled);
     bool allowExpiredCredentials();
     void setAllowExpiredCredentials(bool enabled);
 

src/browser/BrowserSettingsWidget.cpp

@@ -108,7 +108,6 @@ void BrowserSettingsWidget::loadSettings()
     // TODO: fix this
     m_ui->showNotification->hide();
 
-    m_ui->alwaysAllowAccess->setChecked(settings->alwaysAllowAccess());
     m_ui->alwaysAllowUpdate->setChecked(settings->alwaysAllowUpdate());
     m_ui->httpAuthPermission->setChecked(settings->httpAuthPermission());
     m_ui->searchInAllDatabases->setChecked(settings->searchInAllDatabases());
@@ -118,7 +117,6 @@ void BrowserSettingsWidget::loadSettings()
     m_ui->useCustomProxy->setChecked(settings->useCustomProxy());
     m_ui->customProxyLocation->setText(settings->replaceHomePath(settings->customProxyLocation()));
     m_ui->updateBinaryPath->setChecked(settings->updateBinaryPath());
-    m_ui->allowGetDatabaseEntriesRequest->setChecked(settings->allowGetDatabaseEntriesRequest());
     m_ui->allowExpiredCredentials->setChecked(settings->allowExpiredCredentials());
     m_ui->chromeSupport->setChecked(settings->browserSupport(BrowserShared::CHROME));
     m_ui->chromiumSupport->setChecked(settings->browserSupport(BrowserShared::CHROMIUM));
@@ -232,9 +230,7 @@ void BrowserSettingsWidget::saveSettings()
     settings->setCustomProxyLocation(resolveCustomProxyLocation());
 
     settings->setUpdateBinaryPath(m_ui->updateBinaryPath->isChecked());
-    settings->setAllowGetDatabaseEntriesRequest(m_ui->allowGetDatabaseEntriesRequest->isChecked());
     settings->setAllowExpiredCredentials(m_ui->allowExpiredCredentials->isChecked());
-    settings->setAlwaysAllowAccess(m_ui->alwaysAllowAccess->isChecked());
     settings->setAlwaysAllowUpdate(m_ui->alwaysAllowUpdate->isChecked());
     settings->setHttpAuthPermission(m_ui->httpAuthPermission->isChecked());
     settings->setSearchInAllDatabases(m_ui->searchInAllDatabases->isChecked());

src/browser/BrowserSettingsWidget.ui

@@ -279,13 +279,6 @@
          </property>
         </widget>
        </item>
-       <item>
-        <widget class="QCheckBox" name="alwaysAllowAccess">
-         <property name="text">
-          <string extracomment="Credentials mean login data requested via browser extension">Never ask before accessing credentials</string>
-         </property>
-        </widget>
-       </item>
        <item>
         <widget class="QCheckBox" name="alwaysAllowUpdate">
          <property name="text">
@@ -340,16 +333,6 @@
          </property>
         </widget>
        </item>
-       <item>
-        <widget class="QCheckBox" name="allowGetDatabaseEntriesRequest">
-         <property name="toolTip">
-          <string>Allow keepassxc-proxy to list all entries with their title, URL and UUID in connected databases.</string>
-         </property>
-         <property name="text">
-          <string>Allow limited access to all entries in connected databases (ignores site access restrictions)</string>
-         </property>
-        </widget>
-       </item>
        <item>
         <widget class="QCheckBox" name="useCustomProxy">
          <property name="toolTip">

src/browser/CMakeLists.txt

@@ -13,7 +13,7 @@
 #  You should have received a copy of the GNU General Public License
 #  along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-if(WITH_XC_BROWSER)
+if (WITH_XC_BROWSER)
     include_directories(${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
     set(keepassxcbrowser_SOURCES
@@ -41,5 +41,6 @@ if(WITH_XC_BROWSER)
     endif()
 
     add_library(keepassxcbrowser STATIC ${keepassxcbrowser_SOURCES})
-    target_link_libraries(keepassxcbrowser Qt5::Core Qt5::Concurrent Qt5::Widgets Qt5::Network ${BOTAN_LIBRARIES})
+    target_link_libraries(keepassxcbrowser Qt5::Core Qt5::Concurrent Qt5::Widgets Qt5::Network ${BOTAN_LIBRARIES}
-endif()
+            keepassx_core)
+endif ()

src/core/Config.cpp

@@ -157,9 +157,7 @@ static const QHash<Config::ConfigKey, ConfigDirective> configStrings = {
     {Config::Browser_UseCustomProxy, {QS("Browser/UseCustomProxy"), Roaming, false}},
     {Config::Browser_CustomProxyLocation, {QS("Browser/CustomProxyLocation"), Roaming, {}}},
     {Config::Browser_UpdateBinaryPath, {QS("Browser/UpdateBinaryPath"), Roaming, true}},
-    {Config::Browser_AllowGetDatabaseEntriesRequest, {QS("Browser/AllowGetDatabaseEntriesRequest"), Roaming, false}},
     {Config::Browser_AllowExpiredCredentials, {QS("Browser/AllowExpiredCredentials"), Roaming, false}},
-    {Config::Browser_AlwaysAllowAccess, {QS("Browser/AlwaysAllowAccess"), Roaming, false}},
     {Config::Browser_AlwaysAllowUpdate, {QS("Browser/AlwaysAllowUpdate"), Roaming, false}},
     {Config::Browser_HttpAuthPermission, {QS("Browser/HttpAuthPermission"), Roaming, false}},
     {Config::Browser_SearchInAllDatabases, {QS("Browser/SearchInAllDatabases"), Roaming, false}},

src/core/Config.h

@@ -137,9 +137,7 @@ public:
         Browser_UseCustomProxy,
         Browser_CustomProxyLocation,
         Browser_UpdateBinaryPath,
-        Browser_AllowGetDatabaseEntriesRequest,
         Browser_AllowExpiredCredentials,
-        Browser_AlwaysAllowAccess,
         Browser_AlwaysAllowUpdate,
         Browser_HttpAuthPermission,
         Browser_SearchInAllDatabases,

src/core/CustomData.cpp

@@ -1,5 +1,5 @@
 /*
- *  Copyright (C) 2018 KeePassXC Team <team@keepassxc.org>
+ *  Copyright (C) 2023 KeePassXC Team <team@keepassxc.org>
  *
  *  This program is free software: you can redistribute it and/or modify
  *  it under the terms of the GNU General Public License as published by
@@ -24,6 +24,7 @@ const QString CustomData::LastModified = QStringLiteral("_LAST_MODIFIED");
 const QString CustomData::Created = QStringLiteral("_CREATED");
 const QString CustomData::BrowserKeyPrefix = QStringLiteral("KPXC_BROWSER_");
 const QString CustomData::BrowserLegacyKeyPrefix = QStringLiteral("Public Key: ");
+const QString CustomData::OptionPrefix = QStringLiteral("KPXC_OPTION_");
 const QString CustomData::ExcludeFromReportsLegacy = QStringLiteral("KnownBad");
 const QString CustomData::FdoSecretsExposedGroup = QStringLiteral("FDO_SECRETS_EXPOSED_GROUP");
 const QString CustomData::RandomSlug = QStringLiteral("KPXC_RANDOM_SLUG");

src/core/CustomData.h

@@ -1,5 +1,5 @@
 /*
- *  Copyright (C) 2018 KeePassXC Team <team@keepassxc.org>
+ *  Copyright (C) 2023 KeePassXC Team <team@keepassxc.org>
  *
  *  This program is free software: you can redistribute it and/or modify
  *  it under the terms of the GNU General Public License as published by
@@ -72,6 +72,7 @@ public:
     static const QString FdoSecretsExposedGroup;
     static const QString RandomSlug;
     static const QString RemoteProgramSettings;
+    static const QString OptionPrefix;
 
     // Pre-KDBX 4.1
     static const QString ExcludeFromReportsLegacy;

src/core/DatabaseSettings.cpp

@@ -0,0 +1,73 @@
+/*
+ *  Copyright (C) 2023 KeePassXC Team <team@keepassxc.org>
+ *
+ *  This program is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "DatabaseSettings.h"
+#include "core/CustomData.h"
+#include "core/Global.h"
+#include "core/Metadata.h"
+
+Q_GLOBAL_STATIC(DatabaseSettings, s_databaseSettings);
+
+DatabaseSettings* DatabaseSettings::instance()
+{
+    return s_databaseSettings;
+}
+
+const QString DatabaseSettings::OPTION_ALLOW_GET_DATABASE_ENTRIES_REQUEST =
+    QStringLiteral("BrowserAllowGetDatabaseEntriesRequest");
+const QString DatabaseSettings::OPTION_ALWAYS_ALLOW_ACCESS = QStringLiteral("BrowserAlwaysAllowAccess");
+
+bool DatabaseSettings::getAlwaysAllowAccess(const QSharedPointer<Database>& db)
+{
+    return getCustomDataOption(db, DatabaseSettings::OPTION_ALWAYS_ALLOW_ACCESS) == TRUE_STR;
+}
+
+void DatabaseSettings::setAlwaysAllowAccess(const QSharedPointer<Database>& db, bool enabled)
+{
+    setCustomDataOption(db, DatabaseSettings::OPTION_ALWAYS_ALLOW_ACCESS, enabled ? TRUE_STR : FALSE_STR);
+}
+
+bool DatabaseSettings::getAllowGetDatabaseEntriesRequest(const QSharedPointer<Database>& db)
+{
+    return getCustomDataOption(db, DatabaseSettings::OPTION_ALLOW_GET_DATABASE_ENTRIES_REQUEST) == TRUE_STR;
+}
+
+void DatabaseSettings::setAllowGetDatabaseEntriesRequest(const QSharedPointer<Database>& db, bool enabled)
+{
+    setCustomDataOption(
+        db, DatabaseSettings::OPTION_ALLOW_GET_DATABASE_ENTRIES_REQUEST, enabled ? TRUE_STR : FALSE_STR);
+}
+
+QString DatabaseSettings::getCustomDataOption(const QSharedPointer<Database>& db, const QString& key) const
+{
+    if (!db) {
+        return {};
+    }
+
+    return db->metadata()->customData()->value(CustomData::OptionPrefix + key);
+}
+
+void DatabaseSettings::setCustomDataOption(const QSharedPointer<Database>& db,
+                                           const QString& key,
+                                           const QString& value) const
+{
+    if (!db) {
+        return;
+    }
+
+    db->metadata()->customData()->set(CustomData::OptionPrefix + key, value);
+}

src/core/DatabaseSettings.h

@@ -0,0 +1,53 @@
+/*
+ *  Copyright (C) 2023 KeePassXC Team <team@keepassxc.org>
+ *
+ *  This program is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef DATABASESETTINGS_H
+#define DATABASESETTINGS_H
+
+#include "core/Database.h"
+#include <QObject>
+
+class DatabaseSettings : public QObject
+{
+    Q_OBJECT
+
+public:
+    Q_DISABLE_COPY(DatabaseSettings)
+
+    explicit DatabaseSettings() = default;
+    ;
+    static DatabaseSettings* instance();
+
+    bool getAlwaysAllowAccess(const QSharedPointer<Database>& db);
+    void setAlwaysAllowAccess(const QSharedPointer<Database>& db, bool enabled);
+    bool getAllowGetDatabaseEntriesRequest(const QSharedPointer<Database>& db);
+    void setAllowGetDatabaseEntriesRequest(const QSharedPointer<Database>& db, bool enabled);
+
+    static const QString OPTION_ALLOW_GET_DATABASE_ENTRIES_REQUEST;
+    static const QString OPTION_ALWAYS_ALLOW_ACCESS;
+
+private:
+    QString getCustomDataOption(const QSharedPointer<Database>& db, const QString& key) const;
+    void setCustomDataOption(const QSharedPointer<Database>& db, const QString& key, const QString& value) const;
+};
+
+static inline DatabaseSettings* databaseSettings()
+{
+    return DatabaseSettings::instance();
+}
+
+#endif // DATABASESETTINGS_H

src/gui/dbsettings/DatabaseSettingsDialog.cpp

@@ -155,7 +155,9 @@ void DatabaseSettingsDialog::save()
         return;
     }
 
-    // Browser settings don't have anything to save
+#ifdef WITH_XC_BROWSER
+    m_browserWidget->saveSettings();
+#endif
 
 #ifdef WITH_XC_KEESHARE
     m_keeShareWidget->saveSettings();

src/gui/dbsettings/DatabaseSettingsWidgetBrowser.cpp

@@ -1,5 +1,5 @@
 /*
- *  Copyright (C) 2022 KeePassXC Team <team@keepassxc.org>
+ *  Copyright (C) 2023 KeePassXC Team <team@keepassxc.org>
  *  Copyright (C) 2018 Sami Vänttinen <sami.vanttinen@protonmail.com>
  *
  *  This program is free software: you can redistribute it and/or modify
@@ -69,6 +69,9 @@ CustomData* DatabaseSettingsWidgetBrowser::customData() const
 
 void DatabaseSettingsWidgetBrowser::initialize()
 {
+    m_ui->alwaysAllowAccess->setChecked(browserService()->getAlwaysAllowAccess());
+    m_ui->allowGetDatabaseEntriesRequest->setChecked(browserService()->getAllowGetDatabaseEntriesRequest());
+
     updateModel();
     settingsWarning();
 }
@@ -84,6 +87,8 @@ void DatabaseSettingsWidgetBrowser::showEvent(QShowEvent* event)
 
 bool DatabaseSettingsWidgetBrowser::saveSettings()
 {
+    browserService()->setAlwaysAllowAccess(m_ui->alwaysAllowAccess->isChecked());
+    browserService()->setAllowGetDatabaseEntriesRequest(m_ui->allowGetDatabaseEntriesRequest->isChecked());
     return true;
 }
 

src/gui/dbsettings/DatabaseSettingsWidgetBrowser.ui

@@ -54,8 +54,8 @@
       <string>KeePassXC-Browser settings</string>
      </property>
      <layout class="QGridLayout" name="gridLayout">
-      <item row="0" column="0">
+      <item row="1" column="0">
-       <widget class="QPushButton" name="removeSharedEncryptionKeys">
+       <widget class="QPushButton" name="refreshDatabaseID">
         <property name="sizePolicy">
          <sizepolicy hsizetype="Preferred" vsizetype="Fixed">
           <horstretch>0</horstretch>
@@ -66,7 +66,7 @@
          <string>Convert legacy KeePassHTTP attributes to KeePassXC-Browser compatible custom data</string>
         </property>
         <property name="text">
-         <string>Disconnect all browsers</string>
+         <string>Refresh database root group ID</string>
         </property>
        </widget>
       </item>
@@ -83,8 +83,8 @@
         </property>
        </widget>
       </item>
-      <item row="1" column="0">
+      <item row="0" column="0">
-       <widget class="QPushButton" name="refreshDatabaseID">
+       <widget class="QPushButton" name="removeSharedEncryptionKeys">
         <property name="sizePolicy">
          <sizepolicy hsizetype="Preferred" vsizetype="Fixed">
           <horstretch>0</horstretch>
@@ -92,7 +92,24 @@
          </sizepolicy>
         </property>
         <property name="text">
-         <string>Refresh database root group ID</string>
+         <string>Disconnect all browsers</string>
+        </property>
+       </widget>
+      </item>
+      <item row="2" column="0" colspan="2">
+       <widget class="QCheckBox" name="alwaysAllowAccess">
+        <property name="text">
+         <string extracomment="Credentials mean login data requested via browser extension">Never confirm before sending credentials to the extension</string>
+        </property>
+       </widget>
+      </item>
+      <item row="3" column="0" colspan="2">
+       <widget class="QCheckBox" name="allowGetDatabaseEntriesRequest">
+        <property name="toolTip">
+         <string>Allow a connected program to list all entries with their title, URL and UUID regardless of individual access restrictions</string>
+        </property>
+        <property name="text">
+         <string>Allow limited access to all entries (may be used by third-party solutions)</string>
         </property>
        </widget>
       </item>

tests/TestBrowser.cpp

@@ -19,6 +19,7 @@
 
 #include "browser/BrowserMessageBuilder.h"
 #include "browser/BrowserSettings.h"
+#include "core/DatabaseSettings.h"
 #include "core/Group.h"
 #include "core/Tools.h"
 #include "crypto/Crypto.h"
@@ -740,3 +741,25 @@ void TestBrowser::testRestrictBrowserKey()
     QCOMPARE(sorted[2]->url(), QString("https://example.com/2"));
     QCOMPARE(sorted[3]->url(), QString("https://example.com/0"));
 }
+
+void TestBrowser::testGetDatabaseEntries()
+{
+    auto db = QSharedPointer<Database>::create();
+    auto* root = db->rootGroup();
+
+    QStringList urls = {"https://github.com/loginpage", "https://test.github.com/", "https://github.com/"};
+    auto entries = createEntries(urls, root);
+    Q_UNUSED(entries)
+
+    bool accessDenied = true;
+
+    databaseSettings()->setAllowGetDatabaseEntriesRequest(db, false);
+    auto result = browserService()->getDatabaseEntries(&accessDenied, db);
+    QCOMPARE(accessDenied, true);
+    QCOMPARE(result.isEmpty(), true);
+
+    databaseSettings()->setAllowGetDatabaseEntriesRequest(db, true);
+    result = browserService()->getDatabaseEntries(&accessDenied, db);
+    QCOMPARE(accessDenied, false);
+    QCOMPARE(result.isEmpty(), false);
+}

tests/TestBrowser.h

@@ -50,6 +50,7 @@ private slots:
     void testBestMatchingCredentials();
     void testBestMatchingWithAdditionalURLs();
     void testRestrictBrowserKey();
+    void testGetDatabaseEntries();
 
 private:
     QList<Entry*> createEntries(QStringList& urls, Group* root) const;