PolicyKit: Branch 'master'
David Zeuthen
david at kemper.freedesktop.org
Fri Jul 6 07:20:35 PDT 2012
docs/man/polkit.xml | 52 +++++++++++-------
src/polkitbackend/init.js | 10 +++
test/data/etc/polkit-1/rules.d/10-testing.rules | 48 ++++++++--------
test/data/etc/polkit-1/rules.d/15-testing.rules | 6 +-
test/data/usr/share/polkit-1/rules.d/10-testing.rules | 4 -
test/data/usr/share/polkit-1/rules.d/20-testing.rules | 6 +-
6 files changed, 74 insertions(+), 52 deletions(-)
New commits:
commit 50dcb370edc365114fa6640770ebc253d39570ab
Author: David Zeuthen <zeuthen at gmail.com>
Date: Fri Jul 6 10:19:45 2012 -0400
Introduce a polkit.Result enumeration for authorization rules
This way an authorization rule can do this
return polkit.Result.YES;
which is slightly nicer than
return "yes";
https://bugs.freedesktop.org/show_bug.cgi?id=50983
Signed-off-by: David Zeuthen <zeuthen at gmail.com>
diff --git a/docs/man/polkit.xml b/docs/man/polkit.xml
index d48b1a0..1aebfc9 100644
--- a/docs/man/polkit.xml
+++ b/docs/man/polkit.xml
@@ -514,7 +514,7 @@ System Context | |
<funcprototype>
<?dbhtml funcsynopsis-style='ansi'?>
<funcdef>void <function>addRule</function></funcdef>
- <paramdef>string <function>function</function>(<parameter>action</parameter>, <parameter>subject</parameter>) {...}</paramdef>
+ <paramdef><type>polkit.Result</type> <function>function</function>(<parameter>action</parameter>, <parameter>subject</parameter>) {...}</paramdef>
</funcprototype>
</funcsynopsis>
@@ -553,26 +553,38 @@ System Context | |
<filename class='directory'>/etc/polkit-1/rules.d</filename>
with a name that sorts before other rules files, for example
<filename>00-early-checks.rules</filename>. Each function should
- return one of the values <literal>"no"</literal>,
- <literal>"yes"</literal>, <literal>"auth_self"</literal>,
- <literal>"auth_self_keep"</literal>,
- <literal>"auth_admin"</literal>,
- <literal>"auth_admin_keep"</literal> as defined above. If the
- function returns <constant>null</constant>,
- <constant>undefined</constant> or does not return a value at
- all, the next function is tried.
+ return a value from <literal>polkit.Result</literal>
+ </para>
+ <programlisting><![CDATA[
+polkit.Result = {
+ NO : "no",
+ YES : "yes",
+ AUTH_SELF : "auth_self",
+ AUTH_SELF_KEEP : "auth_self_keep",
+ AUTH_ADMIN : "auth_admin",
+ AUTH_ADMIN_KEEP : "auth_admin_keep",
+ NOT_HANDLED : null
+};
+]]></programlisting>
+ <para>
+ corresponding to the values that can be used as defaults. If
+ the function returns
+ <constant>polkit.Result.NOT_HANDLED</constant>,
+ <constant>null</constant>, <constant>undefined</constant> or
+ does not return a value at all, the next user function is
+ tried.
</para>
<para>
- Keep in mind that if <literal>"auth_self_keep"</literal> or
- <literal>"auth_admin_keep"</literal> is returned,
+ Keep in mind that if <constant>polkit.Result.AUTH_SELF_KEEP</constant>
+ or <constant>polkit.Result.AUTH_ADMIN_KEEP</constant> is returned,
authorization checks for the same action identifier and
- subject will succeed (that is, return "yes") for the next
+ subject will succeed (that is, return <constant>polkit.Result.YES</constant>) for the next
brief period (e.g. five minutes) <emphasis>even</emphasis> if
the variables passed along with the check are
different. Therefore, if the result of an authorization rule
depend on such variables, it should not use the
- <literal>"*_keep"</literal> variants (if similar functionality
+ <constant>"*_KEEP"</constant> constants (if similar functionality
is required, the authorization rule can easily implement
temporary authorizations using the
<ulink url="https://developer.mozilla.org/en/JavaScript/Reference/Global_Objects/Date"><type>Date</type></ulink>
@@ -825,7 +837,7 @@ May 24 14:28:50 thinkpad polkitd[32217]: /etc/polkit-1/rules.d/10-test.rules:4:
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.accounts.user-administration" &&
subject.isInGroup("admin")) {
- return "yes";
+ return polkit.Result.YES;
}
});
]]></programlisting>
@@ -850,9 +862,9 @@ polkit.addAdminRule(function(action, subject) {
polkit.addRule(function(action, subject) {
if (action.id.indexOf("org.freedesktop.hostname1.") == 0) {
if (subject.isInGroup("children")) {
- return "no";
+ return polkit.Result.NO;
} else {
- return "auth_self_keep";
+ return polkit.Result.AUTH_SELF_KEEP;
}
}
});
@@ -869,10 +881,10 @@ polkit.addRule(function(action, subject) {
// only if the passed username is authorized
polkit.spawn(["/opt/company/bin/user-may-reboot",
subject.user]);
- return "yes";
+ return polkit.Result.YES;
} catch (error) {
// Nope, but do allow admin authentication
- return "auth_admin";
+ return polkit.Result.AUTH_ADMIN;
}
}
});
@@ -888,7 +900,7 @@ polkit.addRule(function(action, subject) {
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.policykit.exec" &&
action.lookup("program") == "/usr/bin/cat") {
- return "auth_self";
+ return polkit.Result.AUTH_SELF;
}
});
]]></programlisting>
@@ -910,7 +922,7 @@ polkit.addRule(function(action, subject) {
action.lookup("drive.vendor") == "SEAGATE" &&
action.lookup("drive.model") == "ST3300657SS" &&
subject.isInGroup("engineers")) {
- return "yes";
+ return polkit.Result.YES;
}
}
});
diff --git a/src/polkitbackend/init.js b/src/polkitbackend/init.js
index 16862d4..af85d05 100644
--- a/src/polkitbackend/init.js
+++ b/src/polkitbackend/init.js
@@ -81,3 +81,13 @@ polkit._deleteRules = function() {
this._adminRuleFuncs = [];
this._ruleFuncs = [];
};
+
+polkit.Result = {
+ NO : "no",
+ YES : "yes",
+ AUTH_SELF : "auth_self",
+ AUTH_SELF_KEEP : "auth_self_keep",
+ AUTH_ADMIN : "auth_admin",
+ AUTH_ADMIN_KEEP : "auth_admin_keep",
+ NOT_HANDLED : null
+};
diff --git a/test/data/etc/polkit-1/rules.d/10-testing.rules b/test/data/etc/polkit-1/rules.d/10-testing.rules
index 4a17f8c..446e622 100644
--- a/test/data/etc/polkit-1/rules.d/10-testing.rules
+++ b/test/data/etc/polkit-1/rules.d/10-testing.rules
@@ -37,19 +37,19 @@ polkit.addAdminRule(function(action, subject) {
polkit.addRule(function(action, subject) {
if (action.id == "net.company.productA.action0") {
- return "auth_admin";
+ return polkit.Result.AUTH_ADMIN;
}
});
polkit.addRule(function(action, subject) {
if (action.id == "net.company.productA.action1") {
- return "auth_self";
+ return polkit.Result.AUTH_SELF;
}
});
polkit.addRule(function(action, subject) {
if (action.id == "net.company.order0") {
- return "yes";
+ return polkit.Result.YES;
}
});
@@ -59,11 +59,11 @@ polkit.addRule(function(action, subject) {
polkit.addRule(function(action, subject) {
if (action.id == "net.company.group.variables") {
if (action.lookup("foo") == "1")
- return "yes";
+ return polkit.Result.YES;
else if (action.lookup("foo") == "2")
- return "auth_self";
+ return polkit.Result.AUTH_SELF;
else
- return "auth_admin";
+ return polkit.Result.AUTH_ADMIN;
}
});
@@ -74,9 +74,9 @@ polkit.addRule(function(action, subject) {
polkit.addRule(function(action, subject) {
if (action.id == "net.company.group.only_group_users") {
if (subject.isInGroup("users"))
- return "yes";
+ return polkit.Result.YES;
else
- return "no";
+ return polkit.Result.NO;
}
});
@@ -86,9 +86,9 @@ polkit.addRule(function(action, subject) {
polkit.addRule(function(action, subject) {
if (action.id == "net.company.group.only_netgroup_users") {
if (subject.isInNetGroup("foo"))
- return "yes";
+ return polkit.Result.YES;
else
- return "no";
+ return polkit.Result.NO;
}
});
@@ -99,9 +99,9 @@ polkit.addRule(function(action, subject) {
if (action.id == "net.company.spawning.non_existing_helper") {
try {
polkit.spawn(["/path/to/non/existing/helper"]);
- return "no";
+ return polkit.Result.NO;
} catch (error) {
- return "yes";
+ return polkit.Result.YES;
}
}
});
@@ -110,9 +110,9 @@ polkit.addRule(function(action, subject) {
if (action.id == "net.company.spawning.successful_helper") {
try {
polkit.spawn(["/bin/true"]);
- return "yes";
+ return polkit.Result.YES;
} catch (error) {
- return "no";
+ return polkit.Result.NO;
}
}
});
@@ -121,9 +121,9 @@ polkit.addRule(function(action, subject) {
if (action.id == "net.company.spawning.failing_helper") {
try {
polkit.spawn(["/bin/false"]);
- return "no";
+ return polkit.Result.NO;
} catch (error) {
- return "yes";
+ return polkit.Result.YES;
}
}
});
@@ -133,11 +133,11 @@ polkit.addRule(function(action, subject) {
try {
var out = polkit.spawn(["echo", "-n", "-e", "Hello\nWorld"]);
if (out == "Hello\nWorld")
- return "yes";
+ return polkit.Result.YES;
else
- return "no";
+ return polkit.Result.NO;
} catch (error) {
- return "no";
+ return polkit.Result.NO;
}
}
});
@@ -146,11 +146,11 @@ polkit.addRule(function(action, subject) {
if (action.id == "net.company.spawning.helper_timeout") {
try {
polkit.spawn(["sleep", "20"]);
- return "no";
+ return polkit.Result.NO;
} catch (error) {
if (error == "Error: Error spawning helper: Timed out after 10 seconds (g-io-error-quark, 24)")
- return "yes";
- return "no";
+ return polkit.Result.YES;
+ return polkit.Result.NO;
}
}
});
@@ -168,8 +168,8 @@ polkit.addRule(function(action, subject) {
;
} catch (error) {
if (error == "Terminating runaway script")
- return "yes"
- return "no";
+ return polkit.Result.YES;
+ return polkit.Result.NO;
}
}
});
diff --git a/test/data/etc/polkit-1/rules.d/15-testing.rules b/test/data/etc/polkit-1/rules.d/15-testing.rules
index b64d731..00e214b 100644
--- a/test/data/etc/polkit-1/rules.d/15-testing.rules
+++ b/test/data/etc/polkit-1/rules.d/15-testing.rules
@@ -4,18 +4,18 @@
polkit.addRule(function(action, subject) {
if (action.id == "net.company.order0") {
- return "no"; // earlier rule should win
+ return polkit.Result.NO; // earlier rule should win
}
});
polkit.addRule(function(action, subject) {
if (action.id == "net.company.order1") {
- return "no"; // earlier rule should win
+ return polkit.Result.NO; // earlier rule should win
}
});
polkit.addRule(function(action, subject) {
if (action.id == "net.company.order2") {
- return "yes";
+ return polkit.Result.YES;
}
});
diff --git a/test/data/usr/share/polkit-1/rules.d/10-testing.rules b/test/data/usr/share/polkit-1/rules.d/10-testing.rules
index c60e262..1d553f6 100644
--- a/test/data/usr/share/polkit-1/rules.d/10-testing.rules
+++ b/test/data/usr/share/polkit-1/rules.d/10-testing.rules
@@ -6,12 +6,12 @@
polkit.addRule(function(action, subject) {
if (action.id == "net.company.order0") {
- return "no"; // earlier rule should win
+ return polkit.Result.NO; // earlier rule should win
}
});
polkit.addRule(function(action, subject) {
if (action.id == "net.company.order1") {
- return "yes";
+ return polkit.Result.YES;
}
});
diff --git a/test/data/usr/share/polkit-1/rules.d/20-testing.rules b/test/data/usr/share/polkit-1/rules.d/20-testing.rules
index 5c5bb2c..071f135 100644
--- a/test/data/usr/share/polkit-1/rules.d/20-testing.rules
+++ b/test/data/usr/share/polkit-1/rules.d/20-testing.rules
@@ -4,18 +4,18 @@
polkit.addRule(function(action, subject) {
if (action.id == "net.company.order0") {
- return "no"; // earlier rule should win
+ return polkit.Result.NO; // earlier rule should win
}
});
polkit.addRule(function(action, subject) {
if (action.id == "net.company.order1") {
- return "no"; // earlier rule should win
+ return polkit.Result.NO; // earlier rule should win
}
});
polkit.addRule(function(action, subject) {
if (action.id == "net.company.order2") {
- return "no"; // earlier rule should win
+ return polkit.Result.NO; // earlier rule should win
}
});
More information about the hal-commit
mailing list