Problems escaping spaces in string variable with grep command and SU

Question

macOS Ventura is apparently no longer letting us set the default Dock application items from root (command silently fails), so we are having to run in the user's space from our MDM script. Unfortunately, this means I have to chain a grep command with SU which is causing me all sorts of problems for items that have spaces:

zsh for the environment, other logic to set $current_user that's not relevant removed.

__dock_item() {
    printf '%s%s%s%s%s' \
           '<dict><key>tile-data</key><dict><key>file-data</key><dict>' \
           '<key>_CFURLString</key><string>' \
           "$1" \
           '</string><key>_CFURLStringType</key><integer>0</integer>' \
           '</dict></dict></dict>'
}

for dockItem in {/Applications/{"Google Chrome","Slack","zoom.us"}.app,"Done"}; do
    echo $dockItem
    if [[ -e "$dockItem" ]]; then
        if ! [[ $dockItem == "Done" ]]; then
            # Does not actually work, nor does setting GREP_ARRAY=(-q "$dockItem") with grep "${GREP_ARRAY[@]}"
            # does not properly escape the path when executed "Chrome.app does not exist"
            EscapedPath=$( echo "$dockItem" | sed 's/ /\\ /g' )
            if (/usr/bin/su - "${current_user}" -c "defaults read com.apple.dock persistent-apps | /usr/bin/grep -q $EscapedPath"); then
                printf '%s\n' 'Dock icon already found.'
            else
                printf '%s\n' 'Setting up Dock icons...'
                /usr/bin/su - "${current_user}" -c "defaults write com.apple.dock persistent-apps -array-add '$(__dock_item $dockItem)'"
            fi
        fi
    else
        printf '%s\n' 'Restarting Dock...'
        killall Dock
    fi
done

Any time it tries to process "Google Chrome" the grep command fails and the application is pinned to the dock again, creating an endless cycle of copies of Chrome being added.

I've tried multiple methods to escape $dockItem, and converting it to an array, but it fails to recognize the complete string in Ventura's zsh shell.

if (/usr/bin/su - "${current_user}" -c "defaults read com.apple.dock persistent-apps | /usr/bin/grep -q '$dockItem'"); then

Is not properly escaped when executed either.

Answer 1

Why not use sudo instead of su? it doesn't run the command via the user's shell, so filenames and strings don't need an additional layer of quoting. It does mean, however, that you can't run things like pipelines (defaults read ... | grep) in the user's shell, but you didn't really need to anyway; run the grep in the parent shell on the output from sudo defaults read.

After discussion in the comments, it looks like another part of the problem is that the name is URL=encoded (i.e. spaces are converted to "%20"), which can be converted with sed or even directly in bash: "${dockItem// /%20}" I still haven't tested this, but I think it'd be something like this:

[...]
if /usr/bin/sudo -u "${current_user}" defaults read com.apple.dock persistent-apps | /usr/bin/grep -Fq "${dockItem// /%20}"; then
 [...]
    /usr/bin/sudo -u "${current_user}" defaults write com.apple.dock persistent-apps -array-add "$(__dock_item "${dockItem// /%20}")"