summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDavid Zeuthen <zeuthen@gmail.com>2012-06-07 10:35:07 -0400
committerDavid Zeuthen <zeuthen@gmail.com>2012-06-07 10:35:07 -0400
commitd81f4d16ab96c4084bf20c7174ac6fb16f69c402 (patch)
tree60b3392cd8a5b67c540d12ca48458e15471f7847
parent3d007cbc5d4a1560cdcca08b5ca0401371fc7b77 (diff)
downloadpolkit-d81f4d16ab96c4084bf20c7174ac6fb16f69c402.tar.gz
Mention the implications of returning *_keep in an authorization rule
Pointed out by Dan Williams <dcbw@redhat.com> on IRC. Signed-off-by: David Zeuthen <zeuthen@gmail.com>
-rw-r--r--docs/man/polkit.xml20
1 files changed, 18 insertions, 2 deletions
diff --git a/docs/man/polkit.xml b/docs/man/polkit.xml
index a055707..d48b1a0 100644
--- a/docs/man/polkit.xml
+++ b/docs/man/polkit.xml
@@ -367,11 +367,11 @@ System Context | |
<term><literal>auth_self_keep</literal></term>
<listitem><para>Like <literal>auth_self</literal> but
the authorization is kept for a brief
- period.</para></listitem>
+ period (e.g. five minutes).</para></listitem>
</varlistentry>
<varlistentry>
<term><literal>auth_admin_keep</literal></term>
- <listitem><para>Like <literal>auth_admin</literal> but the authorization is kept for a brief period.</para></listitem>
+ <listitem><para>Like <literal>auth_admin</literal> but the authorization is kept for a brief period (e.g. five minutes).</para></listitem>
</varlistentry>
</variablelist>
</listitem>
@@ -564,6 +564,22 @@ System Context | |
</para>
<para>
+ Keep in mind that if <literal>"auth_self_keep"</literal> or
+ <literal>"auth_admin_keep"</literal> is returned,
+ authorization checks for the same action identifier and
+ subject will succeed (that is, return "yes") for the next
+ brief period (e.g. five minutes) <emphasis>even</emphasis> if
+ the variables passed along with the check are
+ different. Therefore, if the result of an authorization rule
+ depend on such variables, it should not use the
+ <literal>"*_keep"</literal> variants (if similar functionality
+ is required, the authorization rule can easily implement
+ temporary authorizations using the
+ <ulink url="https://developer.mozilla.org/en/JavaScript/Reference/Global_Objects/Date"><type>Date</type></ulink>
+ type for timestamps).
+ </para>
+
+ <para>
The <function>addAdminRule()</function> method is used for
adding a function may be called whenever administrator
authentication is required. The function is used to specify what