Question - PolicyKit

Wed Jul 16 10:43:23 PDT 2008

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

David Zeuthen wrote:
> On Tue, 2008-07-15 at 16:20 -0400, dawg wrote:
>>> Uh, that's why you can change the defaults as I explained in the earlier
>>> mail. See, the defaults are chosen by the application developer. Of
>>> course some administrators will want to change them. So we provide a
>>> mechanism (e.g. polkit-action(1)) to do exactly that.
>>>   
>> I may have misunderstood you. Changing the default for the checkbox is 
>> exactly what I want to do. It sounded like you were stating that it was 
>> only possible to make it so that the "remember" option is *never* shown 
>> (not what I want).
> 
> No, I'm talking about changing the defaults for an action; e.g. if the
> default is
> 
>  auth_[self|admin] -> no checkboxes
>  http://hal.freedesktop.org/docs/PolicyKit-gnome/auth-self.png
> 
>  auth_[self|admin]_keep_session -> a single checkbox
>  http://hal.freedesktop.org/docs/PolicyKit-gnome/auth-retain-session.png
> 
>  auth_[self|admin]_keep_always -> two checkboxes
>  http://hal.freedesktop.org/docs/PolicyKit-gnome/auth-retain-always.png
> 
>> I was not saying that it doesn't make sense to allow them to retain 
>> authorization (I *want* it to in some cases), I am only saying it 
>> doesn't make sense for the checkbox to be ticked by default if it 
>> doesn't remember that it was unchecked in previous instances.
> 
> This doesn't make sense; either you want people to retain an
> authorization or you don't. If you don't simply change the defaults with
> the polkit-action(1) command line tool or the GNOME tool
> 
> http://people.freedesktop.org/~david/polkit-gnome-authorizations.png
> 
> Again, not checking the box when the dialog comes up is a _terrible_
> default. The whole *idea* behind retaining authorizations is that it's a
> boot-strap mechanism to let users accumulate authorizations. Which is
> exactly what you want on a system without administrators (e.g. consumer
> systems).
> 
> (as a side note: how to do this on set of managed systems using a
> directory server using roles is something I'm planning to add pretty
> soon; basically FreeIPA integration in PolicyKit. But more about that
> later.)
> 

David, what about simply storing the fact that, the last time through,
the user opted to uncheck that box. If they have done so once, retain
that state for future authorization requests until they manually check
it again. This would avoid the situation dawg described where a user has
to actively choose to remove the checkbox each and every time.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkh+MzsACgkQc7MaxVic+2rl4wCdHemkekdqFx481Iz4KvPkFzJf
dnIAnRYOmizN2xouGta73rIekzjMs7Bo
=NYBQ
-----END PGP SIGNATURE-----