From 60b7349bdc2ff2eb857b80bc89d377c53f3d67ab Mon Sep 17 00:00:00 2001
From: K900 <me@0upti.me>
Date: Sun, 30 Mar 2025 10:36:46 +0300
Subject: [PATCH] kdePackages.kio: allow loading admin worker from /nix/store

This does technically somewhat extend the trust boundary,
but users with permissions to put things in the store can
basically do anything they want anyway, so this should
be fine(tm).

Fixes #394540.
---
 .../kio/allow-admin-from-store.patch          | 20 +++++++++++++++++++
 pkgs/kde/frameworks/kio/default.nix           |  2 ++
 2 files changed, 22 insertions(+)
 create mode 100644 pkgs/kde/frameworks/kio/allow-admin-from-store.patch

diff --git a/pkgs/kde/frameworks/kio/allow-admin-from-store.patch b/pkgs/kde/frameworks/kio/allow-admin-from-store.patch
new file mode 100644
index 000000000000..c35e1c8756e3
--- /dev/null
+++ b/pkgs/kde/frameworks/kio/allow-admin-from-store.patch
@@ -0,0 +1,20 @@
+diff --git a/src/core/worker.cpp b/src/core/worker.cpp
+index da423731c..443c8db19 100644
+--- a/src/core/worker.cpp
++++ b/src/core/worker.cpp
+@@ -343,13 +343,13 @@ Worker *Worker::createWorker(const QString &protocol, const QUrl &url, int &erro
+         return nullptr;
+     }
+ 
+-    if (protocol == QLatin1String("admin") && !lib_path.startsWith(QLatin1String{KDE_INSTALL_FULL_KIO_PLUGINDIR})) {
++    if (protocol == QLatin1String("admin") && !lib_path.startsWith(QLatin1String("/nix/store"))) {
+         error_text = i18nc("@info %2 and %3 are paths",
+                            "The KIO worker for protocol “%1” in %2 was not loaded because all KIO workers which are located outside of %3 and ask for elevated "
+                            "privileges are considered insecure.",
+                            protocol,
+                            lib_path,
+-                           QLatin1String{KDE_INSTALL_FULL_KIO_PLUGINDIR});
++                           QLatin1String("/nix/store"));
+         error = KIO::ERR_CANNOT_CREATE_WORKER;
+         return nullptr;
+     }
diff --git a/pkgs/kde/frameworks/kio/default.nix b/pkgs/kde/frameworks/kio/default.nix
index 45f448692baa..0bdcb039adff 100644
--- a/pkgs/kde/frameworks/kio/default.nix
+++ b/pkgs/kde/frameworks/kio/default.nix
@@ -11,6 +11,8 @@ mkKdeDerivation {
   patches = [
     # Remove hardcoded smbd search path
     ./0001-Remove-impure-smbd-search-path.patch
+    # Allow loading kio-admin from the store
+    ./allow-admin-from-store.patch
   ];
 
   extraBuildInputs = [