PolicyKit: Branch 'master'
David Zeuthen
david at kemper.freedesktop.org
Wed Oct 31 11:43:05 PDT 2007
polkit-dbus/polkit-read-auth-helper.c | 41 +++++++++++++++++++++++++---
polkit-grant/polkit-explicit-grant-helper.c | 34 +++++++++++++++++------
polkit-grant/polkit-grant-helper.c | 12 +++++++-
polkit-grant/polkit-revoke-helper.c | 32 ++++++++++++++++-----
polkit/polkit-context.c | 17 +++++++++--
polkit/polkit-context.h | 6 ++--
polkitd/polkit-daemon.c | 9 ++++--
tools/polkit-auth.c | 8 +++--
8 files changed, 127 insertions(+), 32 deletions(-)
New commits:
commit 035e6ee497eca895506cff376d6154e9fa9327ca
Author: David Zeuthen <davidz at redhat.com>
Date: Wed Oct 31 14:41:00 2007 -0400
make polkit_context_is_[caller|session]_authorized() take a PolKitError
diff --git a/polkit-dbus/polkit-read-auth-helper.c b/polkit-dbus/polkit-read-auth-helper.c
index 2701634..3a067d9 100644
--- a/polkit-dbus/polkit-read-auth-helper.c
+++ b/polkit-dbus/polkit-read-auth-helper.c
@@ -58,6 +58,8 @@ check_for_auth (uid_t caller_uid, pid_t caller_pid)
PolKitCaller *caller;
PolKitAction *action;
PolKitContext *context;
+ PolKitError *pk_error;
+ PolKitResult pk_result;
ret = FALSE;
@@ -92,12 +94,33 @@ check_for_auth (uid_t caller_uid, pid_t caller_pid)
fprintf (stderr, "polkit-read-auth-helper: cannot allocate PolKitContext\n");
goto out;
}
- if (!polkit_context_init (context, NULL)) {
- fprintf (stderr, "polkit-read-auth-helper: cannot initialize polkit\n");
+
+ pk_error = NULL;
+ if (!polkit_context_init (context, &pk_error)) {
+ fprintf (stderr, "polkit-read-auth-helper: cannot initialize polkit context: %s: %s\n",
+ polkit_error_get_error_name (pk_error),
+ polkit_error_get_error_message (pk_error));
+ polkit_error_free (pk_error);
goto out;
}
- if (polkit_context_is_caller_authorized (context, action, caller, FALSE) != POLKIT_RESULT_YES) {
+ pk_result = polkit_context_is_caller_authorized (context, action, caller, FALSE, &pk_error);
+ if (polkit_error_is_set (pk_error)) {
+
+ if (polkit_error_get_error_code (pk_error) ==
+ POLKIT_ERROR_NOT_AUTHORIZED_TO_READ_AUTHORIZATIONS_FOR_OTHER_USERS) {
+ polkit_error_free (pk_error);
+ pk_error = NULL;
+ } else {
+ fprintf (stderr, "polkit-read-auth-helper: cannot determine if caller is authorized: %s: %s\n",
+ polkit_error_get_error_name (pk_error),
+ polkit_error_get_error_message (pk_error));
+ polkit_error_free (pk_error);
+ goto out;
+ }
+ }
+
+ if (pk_result != POLKIT_RESULT_YES) {
/* having 'grant' (which is a lot more powerful) is also sufficient.. this is because 'read'
* is required to 'grant' (to check if there's a similar authorization already)
*/
@@ -105,7 +128,17 @@ check_for_auth (uid_t caller_uid, pid_t caller_pid)
fprintf (stderr, "polkit-read-auth-helper: cannot set action_id\n");
goto out;
}
- if (polkit_context_is_caller_authorized (context, action, caller, FALSE) != POLKIT_RESULT_YES) {
+
+ pk_result = polkit_context_is_caller_authorized (context, action, caller, FALSE, &pk_error);
+ if (polkit_error_is_set (pk_error)) {
+ fprintf (stderr, "polkit-read-auth-helper: cannot determine if caller is authorized: %s: %s\n",
+ polkit_error_get_error_name (pk_error),
+ polkit_error_get_error_message (pk_error));
+ polkit_error_free (pk_error);
+ goto out;
+ }
+
+ if (pk_result != POLKIT_RESULT_YES) {
goto out;
}
}
diff --git a/polkit-grant/polkit-explicit-grant-helper.c b/polkit-grant/polkit-explicit-grant-helper.c
index 45f2bc4..3f5d2ef 100644
--- a/polkit-grant/polkit-explicit-grant-helper.c
+++ b/polkit-grant/polkit-explicit-grant-helper.c
@@ -56,13 +56,15 @@ check_pid_for_authorization (pid_t caller_pid, const char *action_id)
PolKitCaller *caller;
PolKitAction *action;
PolKitContext *context;
+ PolKitError *pk_error;
+ PolKitResult pk_result;
ret = FALSE;
dbus_error_init (&error);
bus = dbus_bus_get (DBUS_BUS_SYSTEM, &error);
if (bus == NULL) {
- fprintf (stderr, "polkit-read-auth-helper: cannot connect to system bus: %s: %s\n",
+ fprintf (stderr, "polkit-explicit-grant-helper: cannot connect to system bus: %s: %s\n",
error.name, error.message);
dbus_error_free (&error);
goto out;
@@ -70,34 +72,48 @@ check_pid_for_authorization (pid_t caller_pid, const char *action_id)
caller = polkit_caller_new_from_pid (bus, caller_pid, &error);
if (caller == NULL) {
- fprintf (stderr, "polkit-read-auth-helper: cannot get caller from pid: %s: %s\n",
+ fprintf (stderr, "polkit-explicit-grant-helper: cannot get caller from pid: %s: %s\n",
error.name, error.message);
goto out;
}
action = polkit_action_new ();
if (action == NULL) {
- fprintf (stderr, "polkit-read-auth-helper: cannot allocate PolKitAction\n");
+ fprintf (stderr, "polkit-explicit-grant-helper: cannot allocate PolKitAction\n");
goto out;
}
if (!polkit_action_set_action_id (action, action_id)) {
- fprintf (stderr, "polkit-read-auth-helper: cannot set action_id\n");
+ fprintf (stderr, "polkit-explicit-grant-helper: cannot set action_id\n");
goto out;
}
context = polkit_context_new ();
if (context == NULL) {
- fprintf (stderr, "polkit-read-auth-helper: cannot allocate PolKitContext\n");
+ fprintf (stderr, "polkit-explicit-grant-helper: cannot allocate PolKitContext\n");
goto out;
}
- if (!polkit_context_init (context, NULL)) {
- fprintf (stderr, "polkit-read-auth-helper: cannot initialize polkit\n");
+
+ pk_error = NULL;
+ if (!polkit_context_init (context, &pk_error)) {
+ fprintf (stderr, "polkit-explicit-grant-helper: cannot initialize polkit context: %s: %s\n",
+ polkit_error_get_error_name (pk_error),
+ polkit_error_get_error_message (pk_error));
+ polkit_error_free (pk_error);
+ goto out;
+ }
+
+ pk_result = polkit_context_is_caller_authorized (context, action, caller, FALSE, &pk_error);
+ if (polkit_error_is_set (pk_error)) {
+ fprintf (stderr, "polkit-explicit-grant-helper: cannot determine if caller is authorized: %s: %s\n",
+ polkit_error_get_error_name (pk_error),
+ polkit_error_get_error_message (pk_error));
+ polkit_error_free (pk_error);
goto out;
}
- if (polkit_context_is_caller_authorized (context, action, caller, FALSE) != POLKIT_RESULT_YES) {
+ if (pk_result != POLKIT_RESULT_YES) {
//fprintf (stderr,
- // "polkit-read-auth-helper: uid %d (pid %d) does not have the "
+ // "polkit-explicit-grant-helper: uid %d (pid %d) does not have the "
// "org.freedesktop.policykit.read-other-authorizations authorization\n",
// caller_uid, caller_pid);
goto out;
diff --git a/polkit-grant/polkit-grant-helper.c b/polkit-grant/polkit-grant-helper.c
index a191a15..43153f7 100644
--- a/polkit-grant/polkit-grant-helper.c
+++ b/polkit-grant/polkit-grant-helper.c
@@ -267,7 +267,17 @@ verify_with_polkit (PolKitContext *pol_ctx,
PolKitResult *out_result,
char ***out_admin_users)
{
- *out_result = polkit_context_is_caller_authorized (pol_ctx, action, caller, FALSE);
+ PolKitError *pk_error;
+
+ pk_error = NULL;
+ *out_result = polkit_context_is_caller_authorized (pol_ctx, action, caller, FALSE, &pk_error);
+ if (polkit_error_is_set (pk_error)) {
+ fprintf (stderr, "polkit-grant-helper: cannot determine if caller is authorized: %s: %s\n",
+ polkit_error_get_error_name (pk_error),
+ polkit_error_get_error_message (pk_error));
+ polkit_error_free (pk_error);
+ goto error;
+ }
if (*out_result != POLKIT_RESULT_ONLY_VIA_ADMIN_AUTH &&
*out_result != POLKIT_RESULT_ONLY_VIA_ADMIN_AUTH_KEEP_SESSION &&
diff --git a/polkit-grant/polkit-revoke-helper.c b/polkit-grant/polkit-revoke-helper.c
index 8e28d65..13d4b67 100644
--- a/polkit-grant/polkit-revoke-helper.c
+++ b/polkit-grant/polkit-revoke-helper.c
@@ -54,13 +54,15 @@ check_for_revoke_authorization (pid_t caller_pid)
PolKitCaller *caller;
PolKitAction *action;
PolKitContext *context;
+ PolKitError *pk_error;
+ PolKitResult pk_result;
ret = FALSE;
dbus_error_init (&error);
bus = dbus_bus_get (DBUS_BUS_SYSTEM, &error);
if (bus == NULL) {
- fprintf (stderr, "polkit-read-auth-helper: cannot connect to system bus: %s: %s\n",
+ fprintf (stderr, "polkit-revoke-helper: cannot connect to system bus: %s: %s\n",
error.name, error.message);
dbus_error_free (&error);
goto out;
@@ -68,32 +70,46 @@ check_for_revoke_authorization (pid_t caller_pid)
caller = polkit_caller_new_from_pid (bus, caller_pid, &error);
if (caller == NULL) {
- fprintf (stderr, "polkit-read-auth-helper: cannot get caller from pid: %s: %s\n",
+ fprintf (stderr, "polkit-revoke-helper: cannot get caller from pid: %s: %s\n",
error.name, error.message);
goto out;
}
action = polkit_action_new ();
if (action == NULL) {
- fprintf (stderr, "polkit-read-auth-helper: cannot allocate PolKitAction\n");
+ fprintf (stderr, "polkit-revoke-helper: cannot allocate PolKitAction\n");
goto out;
}
if (!polkit_action_set_action_id (action, "org.freedesktop.policykit.revoke")) {
- fprintf (stderr, "polkit-read-auth-helper: cannot set action_id\n");
+ fprintf (stderr, "polkit-revoke-helper: cannot set action_id\n");
goto out;
}
context = polkit_context_new ();
if (context == NULL) {
- fprintf (stderr, "polkit-read-auth-helper: cannot allocate PolKitContext\n");
+ fprintf (stderr, "polkit-revoke-helper: cannot allocate PolKitContext\n");
goto out;
}
- if (!polkit_context_init (context, NULL)) {
- fprintf (stderr, "polkit-read-auth-helper: cannot initialize polkit\n");
+
+ pk_error = NULL;
+ if (!polkit_context_init (context, &pk_error)) {
+ fprintf (stderr, "polkit-revoke-helper: cannot initialize polkit context: %s: %s\n",
+ polkit_error_get_error_name (pk_error),
+ polkit_error_get_error_message (pk_error));
+ polkit_error_free (pk_error);
goto out;
}
- if (polkit_context_is_caller_authorized (context, action, caller, FALSE) != POLKIT_RESULT_YES) {
+ pk_result = polkit_context_is_caller_authorized (context, action, caller, FALSE, &pk_error);
+ if (polkit_error_is_set (pk_error)) {
+ fprintf (stderr, "polkit-revoke-helper: cannot determine if caller is authorized: %s: %s\n",
+ polkit_error_get_error_name (pk_error),
+ polkit_error_get_error_message (pk_error));
+ polkit_error_free (pk_error);
+ goto out;
+ }
+
+ if (pk_result != POLKIT_RESULT_YES) {
goto out;
}
diff --git a/polkit/polkit-context.c b/polkit/polkit-context.c
index 5b14063..d506c8d 100644
--- a/polkit/polkit-context.c
+++ b/polkit/polkit-context.c
@@ -428,6 +428,7 @@ polkit_context_get_policy_cache (PolKitContext *pk_context)
* @session: the session in question
* @is_mechanism: Whether the mechanism carrying out the action is
* asking. This can be used to revoke one-time-only authorizations.
+ * @error: return location for error
*
* Determine if any caller from a giver session is authorized to do a
* given action.
@@ -441,7 +442,8 @@ PolKitResult
polkit_context_is_session_authorized (PolKitContext *pk_context,
PolKitAction *action,
PolKitSession *session,
- polkit_bool_t is_mechanism)
+ polkit_bool_t is_mechanism,
+ PolKitError **error)
{
/* TODO: properly implement */
return polkit_context_can_session_do_action (pk_context, action, session);
@@ -454,8 +456,13 @@ polkit_context_is_session_authorized (PolKitContext *pk_context,
* @caller: the caller in question
* @is_mechanism: Whether the mechanism carrying out the action is
* asking. This can be used to revoke one-time-only authorizations.
+ * @error: return location for error
*
- * Determine if a given caller is authorized to do a given action.
+ * Determine if a given caller is authorized to do a given
+ * action.
+ *
+ * This can fail with the following errors:
+ * #POLKIT_ERROR_NOT_AUTHORIZED_TO_READ_AUTHORIZATIONS_FOR_OTHER_USERS
*
* Returns: A #PolKitResult specifying if, and how, the caller can
* do a specific action.
@@ -466,7 +473,8 @@ PolKitResult
polkit_context_is_caller_authorized (PolKitContext *pk_context,
PolKitAction *action,
PolKitCaller *caller,
- polkit_bool_t is_mechnanism)
+ polkit_bool_t is_mechnanism,
+ PolKitError **error)
{
/* TODO: properly implement */
return polkit_context_can_caller_do_action (pk_context, action, caller);
@@ -480,6 +488,9 @@ polkit_context_is_caller_authorized (PolKitContext *pk_context,
*
* Determine if a given session can do a given action.
*
+ * This can fail with the following errors:
+ * #POLKIT_ERROR_NOT_AUTHORIZED_TO_READ_AUTHORIZATIONS_FOR_OTHER_USERS
+ *
* Returns: A #PolKitResult - can only be one of
* #POLKIT_RESULT_YES, #POLKIT_RESULT_NO.
*
diff --git a/polkit/polkit-context.h b/polkit/polkit-context.h
index bc3ed8b..165ad50 100644
--- a/polkit/polkit-context.h
+++ b/polkit/polkit-context.h
@@ -173,12 +173,14 @@ PolKitConfig *polkit_context_get_config (PolKitContext *pk_context, PolKitError
PolKitResult polkit_context_is_caller_authorized (PolKitContext *pk_context,
PolKitAction *action,
PolKitCaller *caller,
- polkit_bool_t is_mechanism);
+ polkit_bool_t is_mechanism,
+ PolKitError **error);
PolKitResult polkit_context_is_session_authorized (PolKitContext *pk_context,
PolKitAction *action,
PolKitSession *session,
- polkit_bool_t is_mechanism);
+ polkit_bool_t is_mechanism,
+ PolKitError **error);
PolKitAuthorizationDB *polkit_context_get_authorization_db (PolKitContext *pk_context);
diff --git a/polkitd/polkit-daemon.c b/polkitd/polkit-daemon.c
index 87b6ed3..9a74246 100644
--- a/polkitd/polkit-daemon.c
+++ b/polkitd/polkit-daemon.c
@@ -416,7 +416,8 @@ is_caller_authorized (PolKitDaemon *daemon,
pk_result = polkit_context_is_caller_authorized (daemon->priv->pk_context,
pk_action,
pk_caller_who_wants_to_know,
- FALSE);
+ FALSE,
+ NULL);
polkit_action_unref (pk_action);
if (pk_result != POLKIT_RESULT_YES) {
error = g_error_new (POLKIT_DAEMON_ERROR,
@@ -432,7 +433,11 @@ is_caller_authorized (PolKitDaemon *daemon,
pk_action = polkit_action_new ();
polkit_action_set_action_id (pk_action, action_id);
- pk_result = polkit_context_is_caller_authorized (daemon->priv->pk_context, pk_action, pk_caller, is_mechanism);
+ pk_result = polkit_context_is_caller_authorized (daemon->priv->pk_context,
+ pk_action,
+ pk_caller,
+ is_mechanism,
+ NULL);
polkit_action_unref (pk_action);
dbus_g_method_return (context, polkit_result_to_string_representation (pk_result));
diff --git a/tools/polkit-auth.c b/tools/polkit-auth.c
index 38429c1..65d2d28 100644
--- a/tools/polkit-auth.c
+++ b/tools/polkit-auth.c
@@ -427,7 +427,7 @@ auth_iterator_cb (PolKitAuthorizationDB *authdb,
pk_action = polkit_action_new ();
polkit_action_set_action_id (pk_action, action_id);
- pk_result = polkit_context_is_caller_authorized (pk_context, pk_action, pk_caller, FALSE);
+ pk_result = polkit_context_is_caller_authorized (pk_context, pk_action, pk_caller, FALSE, NULL);
polkit_action_unref (pk_action);
printf (" Authorized: %s\n", pk_result == POLKIT_RESULT_YES ? "Yes" : "No");
@@ -499,7 +499,8 @@ pfe_iterator_cb (PolKitPolicyCache *policy_cache,
if (polkit_context_is_caller_authorized (pk_context,
action,
pk_caller,
- FALSE) == POLKIT_RESULT_YES) {
+ FALSE,
+ NULL) == POLKIT_RESULT_YES) {
printf ("%s\n", polkit_policy_file_entry_get_id (pfe));
}
@@ -519,7 +520,8 @@ pfe_iterator_show_obtainable_cb (PolKitPolicyCache *policy_cache,
switch (polkit_context_is_caller_authorized (pk_context,
action,
pk_caller,
- FALSE)) {
+ FALSE,
+ NULL)) {
default:
case POLKIT_RESULT_UNKNOWN:
case POLKIT_RESULT_NO:
More information about the hal-commit
mailing list