diff options
| -rw-r--r-- | polkit/polkit-context.c | 41 |
1 files changed, 32 insertions, 9 deletions
diff --git a/polkit/polkit-context.c b/polkit/polkit-context.c index 922e3ec..d806692 100644 --- a/polkit/polkit-context.c +++ b/polkit/polkit-context.c @@ -538,6 +538,8 @@ polkit_context_can_caller_do_action (PolKitContext *pk_context, PolKitPolicyCache *cache; PolKitPolicyFileEntry *pfe; PolKitResult result; + PolKitResult result_from_config; + PolKitResult result_from_grantdb; PolKitPolicyDefault *policy_default; PolKitConfig *config; @@ -580,17 +582,27 @@ polkit_context_can_caller_do_action (PolKitContext *pk_context, polkit_policy_file_entry_debug (pfe); - /* first, check if the grant database specifies a result */ - result = _polkit_grantdb_check_can_caller_do_action (pk_context, action, caller); - if (result != POLKIT_RESULT_UNKNOWN) - goto found; - - /* second, check if the config file specifies a result */ - result = polkit_config_can_caller_do_action (config, action, caller); - if (result != POLKIT_RESULT_UNKNOWN) + result_from_config = polkit_config_can_caller_do_action (config, action, caller); + result_from_grantdb = _polkit_grantdb_check_can_caller_do_action (pk_context, action, caller); + + /* fist, check if the config file specifies a result */ + if (result_from_config != POLKIT_RESULT_UNKNOWN) { + /* it does.. use it.. although try to use an existing grant if there is one */ + if ((result_from_config == POLKIT_RESULT_ONLY_VIA_ADMIN_AUTH || + result_from_config == POLKIT_RESULT_ONLY_VIA_ADMIN_AUTH_KEEP_SESSION || + result_from_config == POLKIT_RESULT_ONLY_VIA_ADMIN_AUTH_KEEP_ALWAYS || + result_from_config == POLKIT_RESULT_ONLY_VIA_SELF_AUTH || + result_from_config == POLKIT_RESULT_ONLY_VIA_SELF_AUTH_KEEP_SESSION || + result_from_config == POLKIT_RESULT_ONLY_VIA_SELF_AUTH_KEEP_ALWAYS) && + result_from_grantdb == POLKIT_RESULT_YES) { + result = POLKIT_RESULT_YES; + } else { + result = result_from_config; + } goto found; + } - /* if no, just use the defaults */ + /* use defaults as specified in the .policy file */ policy_default = polkit_policy_file_entry_get_default (pfe); if (policy_default == NULL) { g_warning ("no default policy for action!"); @@ -598,6 +610,17 @@ polkit_context_can_caller_do_action (PolKitContext *pk_context, } result = polkit_policy_default_can_caller_do_action (policy_default, action, caller); + /* use this result.. although try to use an existing grant if there is one */ + if ((result == POLKIT_RESULT_ONLY_VIA_ADMIN_AUTH || + result == POLKIT_RESULT_ONLY_VIA_ADMIN_AUTH_KEEP_SESSION || + result == POLKIT_RESULT_ONLY_VIA_ADMIN_AUTH_KEEP_ALWAYS || + result == POLKIT_RESULT_ONLY_VIA_SELF_AUTH || + result == POLKIT_RESULT_ONLY_VIA_SELF_AUTH_KEEP_SESSION || + result == POLKIT_RESULT_ONLY_VIA_SELF_AUTH_KEEP_ALWAYS) && + result_from_grantdb == POLKIT_RESULT_YES) { + result = POLKIT_RESULT_YES; + } + found: /* Never return UNKNOWN to user */ |