diff options
author | David Zeuthen <zeuthen@gmail.com> | 2012-07-06 10:19:45 -0400 |
---|---|---|
committer | David Zeuthen <zeuthen@gmail.com> | 2012-07-06 10:19:45 -0400 |
commit | 50dcb370edc365114fa6640770ebc253d39570ab (patch) | |
tree | a200e0baae0cb81dff23b91ea8307b61aafd3a9a | |
parent | d45564a8b3b90c9dd990746ed082f4302fc017c1 (diff) | |
download | polkit-50dcb370edc365114fa6640770ebc253d39570ab.tar.gz |
Introduce a polkit.Result enumeration for authorization rules
This way an authorization rule can do this
return polkit.Result.YES;
which is slightly nicer than
return "yes";
https://bugs.freedesktop.org/show_bug.cgi?id=50983
Signed-off-by: David Zeuthen <zeuthen@gmail.com>
-rw-r--r-- | docs/man/polkit.xml | 52 | ||||
-rw-r--r-- | src/polkitbackend/init.js | 10 | ||||
-rw-r--r-- | test/data/etc/polkit-1/rules.d/10-testing.rules | 48 | ||||
-rw-r--r-- | test/data/etc/polkit-1/rules.d/15-testing.rules | 6 | ||||
-rw-r--r-- | test/data/usr/share/polkit-1/rules.d/10-testing.rules | 4 | ||||
-rw-r--r-- | test/data/usr/share/polkit-1/rules.d/20-testing.rules | 6 |
6 files changed, 74 insertions, 52 deletions
diff --git a/docs/man/polkit.xml b/docs/man/polkit.xml index d48b1a0..1aebfc9 100644 --- a/docs/man/polkit.xml +++ b/docs/man/polkit.xml @@ -514,7 +514,7 @@ System Context | | <funcprototype> <?dbhtml funcsynopsis-style='ansi'?> <funcdef>void <function>addRule</function></funcdef> - <paramdef>string <function>function</function>(<parameter>action</parameter>, <parameter>subject</parameter>) {...}</paramdef> + <paramdef><type>polkit.Result</type> <function>function</function>(<parameter>action</parameter>, <parameter>subject</parameter>) {...}</paramdef> </funcprototype> </funcsynopsis> @@ -553,26 +553,38 @@ System Context | | <filename class='directory'>/etc/polkit-1/rules.d</filename> with a name that sorts before other rules files, for example <filename>00-early-checks.rules</filename>. Each function should - return one of the values <literal>"no"</literal>, - <literal>"yes"</literal>, <literal>"auth_self"</literal>, - <literal>"auth_self_keep"</literal>, - <literal>"auth_admin"</literal>, - <literal>"auth_admin_keep"</literal> as defined above. If the - function returns <constant>null</constant>, - <constant>undefined</constant> or does not return a value at - all, the next function is tried. + return a value from <literal>polkit.Result</literal> + </para> + <programlisting><![CDATA[ +polkit.Result = { + NO : "no", + YES : "yes", + AUTH_SELF : "auth_self", + AUTH_SELF_KEEP : "auth_self_keep", + AUTH_ADMIN : "auth_admin", + AUTH_ADMIN_KEEP : "auth_admin_keep", + NOT_HANDLED : null +}; +]]></programlisting> + <para> + corresponding to the values that can be used as defaults. If + the function returns + <constant>polkit.Result.NOT_HANDLED</constant>, + <constant>null</constant>, <constant>undefined</constant> or + does not return a value at all, the next user function is + tried. </para> <para> - Keep in mind that if <literal>"auth_self_keep"</literal> or - <literal>"auth_admin_keep"</literal> is returned, + Keep in mind that if <constant>polkit.Result.AUTH_SELF_KEEP</constant> + or <constant>polkit.Result.AUTH_ADMIN_KEEP</constant> is returned, authorization checks for the same action identifier and - subject will succeed (that is, return "yes") for the next + subject will succeed (that is, return <constant>polkit.Result.YES</constant>) for the next brief period (e.g. five minutes) <emphasis>even</emphasis> if the variables passed along with the check are different. Therefore, if the result of an authorization rule depend on such variables, it should not use the - <literal>"*_keep"</literal> variants (if similar functionality + <constant>"*_KEEP"</constant> constants (if similar functionality is required, the authorization rule can easily implement temporary authorizations using the <ulink url="https://developer.mozilla.org/en/JavaScript/Reference/Global_Objects/Date"><type>Date</type></ulink> @@ -825,7 +837,7 @@ May 24 14:28:50 thinkpad polkitd[32217]: /etc/polkit-1/rules.d/10-test.rules:4: polkit.addRule(function(action, subject) { if (action.id == "org.freedesktop.accounts.user-administration" && subject.isInGroup("admin")) { - return "yes"; + return polkit.Result.YES; } }); ]]></programlisting> @@ -850,9 +862,9 @@ polkit.addAdminRule(function(action, subject) { polkit.addRule(function(action, subject) { if (action.id.indexOf("org.freedesktop.hostname1.") == 0) { if (subject.isInGroup("children")) { - return "no"; + return polkit.Result.NO; } else { - return "auth_self_keep"; + return polkit.Result.AUTH_SELF_KEEP; } } }); @@ -869,10 +881,10 @@ polkit.addRule(function(action, subject) { // only if the passed username is authorized polkit.spawn(["/opt/company/bin/user-may-reboot", subject.user]); - return "yes"; + return polkit.Result.YES; } catch (error) { // Nope, but do allow admin authentication - return "auth_admin"; + return polkit.Result.AUTH_ADMIN; } } }); @@ -888,7 +900,7 @@ polkit.addRule(function(action, subject) { polkit.addRule(function(action, subject) { if (action.id == "org.freedesktop.policykit.exec" && action.lookup("program") == "/usr/bin/cat") { - return "auth_self"; + return polkit.Result.AUTH_SELF; } }); ]]></programlisting> @@ -910,7 +922,7 @@ polkit.addRule(function(action, subject) { action.lookup("drive.vendor") == "SEAGATE" && action.lookup("drive.model") == "ST3300657SS" && subject.isInGroup("engineers")) { - return "yes"; + return polkit.Result.YES; } } }); diff --git a/src/polkitbackend/init.js b/src/polkitbackend/init.js index 16862d4..af85d05 100644 --- a/src/polkitbackend/init.js +++ b/src/polkitbackend/init.js @@ -81,3 +81,13 @@ polkit._deleteRules = function() { this._adminRuleFuncs = []; this._ruleFuncs = []; }; + +polkit.Result = { + NO : "no", + YES : "yes", + AUTH_SELF : "auth_self", + AUTH_SELF_KEEP : "auth_self_keep", + AUTH_ADMIN : "auth_admin", + AUTH_ADMIN_KEEP : "auth_admin_keep", + NOT_HANDLED : null +}; diff --git a/test/data/etc/polkit-1/rules.d/10-testing.rules b/test/data/etc/polkit-1/rules.d/10-testing.rules index 4a17f8c..446e622 100644 --- a/test/data/etc/polkit-1/rules.d/10-testing.rules +++ b/test/data/etc/polkit-1/rules.d/10-testing.rules @@ -37,19 +37,19 @@ polkit.addAdminRule(function(action, subject) { polkit.addRule(function(action, subject) { if (action.id == "net.company.productA.action0") { - return "auth_admin"; + return polkit.Result.AUTH_ADMIN; } }); polkit.addRule(function(action, subject) { if (action.id == "net.company.productA.action1") { - return "auth_self"; + return polkit.Result.AUTH_SELF; } }); polkit.addRule(function(action, subject) { if (action.id == "net.company.order0") { - return "yes"; + return polkit.Result.YES; } }); @@ -59,11 +59,11 @@ polkit.addRule(function(action, subject) { polkit.addRule(function(action, subject) { if (action.id == "net.company.group.variables") { if (action.lookup("foo") == "1") - return "yes"; + return polkit.Result.YES; else if (action.lookup("foo") == "2") - return "auth_self"; + return polkit.Result.AUTH_SELF; else - return "auth_admin"; + return polkit.Result.AUTH_ADMIN; } }); @@ -74,9 +74,9 @@ polkit.addRule(function(action, subject) { polkit.addRule(function(action, subject) { if (action.id == "net.company.group.only_group_users") { if (subject.isInGroup("users")) - return "yes"; + return polkit.Result.YES; else - return "no"; + return polkit.Result.NO; } }); @@ -86,9 +86,9 @@ polkit.addRule(function(action, subject) { polkit.addRule(function(action, subject) { if (action.id == "net.company.group.only_netgroup_users") { if (subject.isInNetGroup("foo")) - return "yes"; + return polkit.Result.YES; else - return "no"; + return polkit.Result.NO; } }); @@ -99,9 +99,9 @@ polkit.addRule(function(action, subject) { if (action.id == "net.company.spawning.non_existing_helper") { try { polkit.spawn(["/path/to/non/existing/helper"]); - return "no"; + return polkit.Result.NO; } catch (error) { - return "yes"; + return polkit.Result.YES; } } }); @@ -110,9 +110,9 @@ polkit.addRule(function(action, subject) { if (action.id == "net.company.spawning.successful_helper") { try { polkit.spawn(["/bin/true"]); - return "yes"; + return polkit.Result.YES; } catch (error) { - return "no"; + return polkit.Result.NO; } } }); @@ -121,9 +121,9 @@ polkit.addRule(function(action, subject) { if (action.id == "net.company.spawning.failing_helper") { try { polkit.spawn(["/bin/false"]); - return "no"; + return polkit.Result.NO; } catch (error) { - return "yes"; + return polkit.Result.YES; } } }); @@ -133,11 +133,11 @@ polkit.addRule(function(action, subject) { try { var out = polkit.spawn(["echo", "-n", "-e", "Hello\nWorld"]); if (out == "Hello\nWorld") - return "yes"; + return polkit.Result.YES; else - return "no"; + return polkit.Result.NO; } catch (error) { - return "no"; + return polkit.Result.NO; } } }); @@ -146,11 +146,11 @@ polkit.addRule(function(action, subject) { if (action.id == "net.company.spawning.helper_timeout") { try { polkit.spawn(["sleep", "20"]); - return "no"; + return polkit.Result.NO; } catch (error) { if (error == "Error: Error spawning helper: Timed out after 10 seconds (g-io-error-quark, 24)") - return "yes"; - return "no"; + return polkit.Result.YES; + return polkit.Result.NO; } } }); @@ -168,8 +168,8 @@ polkit.addRule(function(action, subject) { ; } catch (error) { if (error == "Terminating runaway script") - return "yes" - return "no"; + return polkit.Result.YES; + return polkit.Result.NO; } } }); diff --git a/test/data/etc/polkit-1/rules.d/15-testing.rules b/test/data/etc/polkit-1/rules.d/15-testing.rules index b64d731..00e214b 100644 --- a/test/data/etc/polkit-1/rules.d/15-testing.rules +++ b/test/data/etc/polkit-1/rules.d/15-testing.rules @@ -4,18 +4,18 @@ polkit.addRule(function(action, subject) { if (action.id == "net.company.order0") { - return "no"; // earlier rule should win + return polkit.Result.NO; // earlier rule should win } }); polkit.addRule(function(action, subject) { if (action.id == "net.company.order1") { - return "no"; // earlier rule should win + return polkit.Result.NO; // earlier rule should win } }); polkit.addRule(function(action, subject) { if (action.id == "net.company.order2") { - return "yes"; + return polkit.Result.YES; } }); diff --git a/test/data/usr/share/polkit-1/rules.d/10-testing.rules b/test/data/usr/share/polkit-1/rules.d/10-testing.rules index c60e262..1d553f6 100644 --- a/test/data/usr/share/polkit-1/rules.d/10-testing.rules +++ b/test/data/usr/share/polkit-1/rules.d/10-testing.rules @@ -6,12 +6,12 @@ polkit.addRule(function(action, subject) { if (action.id == "net.company.order0") { - return "no"; // earlier rule should win + return polkit.Result.NO; // earlier rule should win } }); polkit.addRule(function(action, subject) { if (action.id == "net.company.order1") { - return "yes"; + return polkit.Result.YES; } }); diff --git a/test/data/usr/share/polkit-1/rules.d/20-testing.rules b/test/data/usr/share/polkit-1/rules.d/20-testing.rules index 5c5bb2c..071f135 100644 --- a/test/data/usr/share/polkit-1/rules.d/20-testing.rules +++ b/test/data/usr/share/polkit-1/rules.d/20-testing.rules @@ -4,18 +4,18 @@ polkit.addRule(function(action, subject) { if (action.id == "net.company.order0") { - return "no"; // earlier rule should win + return polkit.Result.NO; // earlier rule should win } }); polkit.addRule(function(action, subject) { if (action.id == "net.company.order1") { - return "no"; // earlier rule should win + return polkit.Result.NO; // earlier rule should win } }); polkit.addRule(function(action, subject) { if (action.id == "net.company.order2") { - return "no"; // earlier rule should win + return polkit.Result.NO; // earlier rule should win } }); |