diff options
author | Benjamin Berg <bberg@redhat.com> | 2020-12-04 14:56:57 +0100 |
---|---|---|
committer | Benjamin Berg <bberg@redhat.com> | 2020-12-07 15:14:07 +0100 |
commit | fc7e4d0e5cd988ec71a9f69082d9ee8072222790 (patch) | |
tree | ec026d521afa81b1114d1e00dab5d9bbc2d5f8bc | |
parent | 583cd870d8566422b622dd937e044f634ff74058 (diff) |
device: Do not require authentication for release/stop
If someone has started an operation, then we don't really need to
confirm they are permitted to stop it again. Not doing this has the
advantage that we cannot run into a second interactive authorization
step accidentally.
-rw-r--r-- | src/device.c | 12 | ||||
-rw-r--r-- | tests/fprintd.py | 23 |
2 files changed, 9 insertions, 26 deletions
diff --git a/src/device.c b/src/device.c index e898d94..5972dc4 100644 --- a/src/device.c +++ b/src/device.c @@ -484,17 +484,17 @@ get_permissions_for_invocation (GDBusMethodInvocation *invocation) required_perms |= FPRINT_DEVICE_PERMISSION_ENROLL; } else if (g_str_equal (method_name, "EnrollStart")) { required_perms |= FPRINT_DEVICE_PERMISSION_ENROLL; - } else if (g_str_equal (method_name, "EnrollStop")) { - required_perms |= FPRINT_DEVICE_PERMISSION_ENROLL; } else if (g_str_equal (method_name, "ListEnrolledFingers")) { required_perms |= FPRINT_DEVICE_PERMISSION_VERIFY; - } else if (g_str_equal (method_name, "Release")) { - required_perms |= FPRINT_DEVICE_PERMISSION_VERIFY; - required_perms |= FPRINT_DEVICE_PERMISSION_ENROLL; } else if (g_str_equal (method_name, "VerifyStart")) { required_perms |= FPRINT_DEVICE_PERMISSION_VERIFY; + } else if (g_str_equal (method_name, "Release")) { + } else if (g_str_equal (method_name, "EnrollStop")) { } else if (g_str_equal (method_name, "VerifyStop")) { - required_perms |= FPRINT_DEVICE_PERMISSION_VERIFY; + /* Don't require permissiong for for release/stop operations. + * We are authenticated already if we could start, and we don't + * want to end up authorizing interactively again. + */ } else { g_assert_not_reached (); } diff --git a/tests/fprintd.py b/tests/fprintd.py index 25b4c31..f2246df 100644 --- a/tests/fprintd.py +++ b/tests/fprintd.py @@ -637,20 +637,11 @@ class FPrintdVirtualDeviceTest(FPrintdVirtualDeviceBaseTest): self.device.Release() - def test_unallowed_release(self): + def test_always_allowed_release(self): self.device.Claim('(s)', 'testuser') self._polkitd_obj.SetAllowed(['']) - with self.assertFprintError('PermissionDenied'): - self.device.Release() - - self._polkitd_obj.SetAllowed(['net.reactivated.fprint.device.setusername']) - - with self.assertFprintError('PermissionDenied'): - self.device.Release() - - self._polkitd_obj.SetAllowed(['net.reactivated.fprint.device.enroll']) self.device.Release() def test_unclaimed_release(self): @@ -1000,15 +991,11 @@ class FPrintdVirtualDeviceClaimedTest(FPrintdVirtualDeviceBaseTest): self._polkitd_obj.SetAllowed(['net.reactivated.fprint.device.enroll']) self.enroll_image('whorl') - def test_unallowed_enroll_stop(self): + def test_always_allowed_enroll_stop(self): self.device.EnrollStart('(s)', 'right-index-finger') self._polkitd_obj.SetAllowed(['']) - with self.assertFprintError('PermissionDenied'): - self.device.EnrollStop() - - self._polkitd_obj.SetAllowed(['net.reactivated.fprint.device.enroll']) self.device.EnrollStop() def test_unallowed_verify_start(self): @@ -1017,15 +1004,11 @@ class FPrintdVirtualDeviceClaimedTest(FPrintdVirtualDeviceBaseTest): with self.assertFprintError('PermissionDenied'): self.device.VerifyStart('(s)', 'any') - def test_unallowed_verify_stop(self): + def test_always_allowed_verify_stop(self): self.enroll_image('whorl') self.device.VerifyStart('(s)', 'any') self._polkitd_obj.SetAllowed(['']) - with self.assertFprintError('PermissionDenied'): - self.device.VerifyStop() - - self._polkitd_obj.SetAllowed(['net.reactivated.fprint.device.verify']) self.device.VerifyStop() def test_list_enrolled_fingers_current_user(self): |