polkit_authority_check_authorization oddity

[David Zeuthen]

On Thu, 2009-07-16 at 09:53 +0100, Richard Hughes wrote:
> > It of course make a lot of sense to return a message to the user about
> > _what_ failed and _why_. But polkit should already tell you this - e.g.
> > there are basically only three possible answers from polkit when you use
> > the ALLOW_USER_INTERACTION flag
> >
> >  o No, the user is not authorized
> >
> >  o Yes, the user is authorized
> >
> >  o The authorization check was cancelled
> >   (either by your own mechanism cancelling the check or by the user
> >    dismissing the authentication dialog)

Just checked, you only get org.freedesktop.PolicyKit1.Error.Cancelled if
you cancel the check yourself. If the user dismisses the dialog OR if
fails to authenticate (the gnome authentication agent only allows three
tries) you are just told the user is not authorized. I remember changing
the behavior to this some time ago.

> This is what I don't understand. I understand that the output of
> polkit_authorization_result_get_is_authorized is boolean, which
> corresponds to the No and Yes actions. I also understand I can check
> the GCancellable to find out if the mechanism cancelled the
> authentication, 

FWIW, it's easier to just check if you got the .Cancelled error which in
libpolkit-gobject-1 translates to the POLKIT_ERROR_CANCELLED error code
in the GError.

> but I don't know how to find out if the user dismissed
> the authentication dialog, or if the session authentication agent
> simply doesn't exist.

If no authentication agent exists (or if you don't pass the
ALLOW_USER_INTERACTION flag) and the user could have obtained
authorization through authentication, then the get_is_challenge() method
on PolkitAuthorizationResult will return TRUE.

> I'm getting a few bugs where the polkit-gnome-authentication-agent-1
> process isn't running, and we can't show anything helpful to the user
> in this case. 

I'm not sure exactly what you think should be different in how polkit
works. Any concrete suggestions?

FWIW, I don't think the mechanism should care about whether an
authentication agent is available, whether the user dismissed the dialog
or just failed to authenticate or other _implementation_ details. In
fact, the system may be using an Authority Implementation that doesn't
even allow obtaining authorization through authentication. The point is
really that you can't make a lot of assumptions about how the Authority
implementation works.

> Maybe polkit-gnome-authentication-agent-1 should
> register a well known name on the session bus, and gnome-packagekit
> client tools should check for this service. I'm not sure. Ideas
> welcome.

Don't think this is a good idea - it would also break things like
fast-user switching. I just don't see why the PackageKit mechanism or
the GNOME PackageKit client tools need to care about whether an
authentication agent exists at all...

Thanks,
David