[Privileges 2] ReasonRequired is not enforced if the dropdown is empty

[aduffner]

Impact

Users can be granted administrator rights without giving a reason, even though ReasonMinLength is set to 20 and ReasonRequired is set to true.

Tested on

• macOS 15.0 (24A335)
• Privileges 2.0.0b1761

Config applied to testing system via mdm on computer level:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>ExpirationInterval</key>
    <integer>5</integer>
    <key>ExpirationIntervalMax</key>
    <integer>60</integer>
    <key>RequireAuthentication</key>
    <true/>
    <key>AllowCLIBiometricAuthentication</key>
    <true/>
    <key>RevokePrivilegesAtLogin</key>
    <true/>
    <key>PostChangeActionOnGrantOnly</key>
    <true/>
    <key>ReasonMinLength</key>
    <integer>20</integer>
    <key>ReasonMaxLength</key>
    <integer>50</integer>
    <key>ReasonRequired</key>
    <true/>
    <key>ReasonPresetList</key>
    <array>
      <dict>
        <key>de</key>
        <string>Um Software zu installieren</string>
        <key>default</key>
        <string>For installing software</string>
      </dict>
      <dict>
        <key>de</key>
        <string>Für Schabernack</string>
        <key>default</key>
        <string>For fun</string>
      </dict>
    </array>
    <!-- TODO: Webhook or RemoteLogging -->
  </dict>
</plist>

Steps of reproduction

Step 1: Click on the Privileges Beta Icon from your Dock, you will get asked the following:

Step 2: Click into the dropdown:

Step 3: Click anywhere outside the dropdown:

✅ Now you are seeing that you can claim admin rights without providing a reason. I guess this is not an expected result.

[mthielemann]

Nice catch! This seems to happen only if the language is set to German. I'll look into it. Thanks!

[mthielemann]

Already fixed. Will be included in the next build.