From 65e8c90c0734996e737cfb9c2fa8fe3132879269 Mon Sep 17 00:00:00 2001
From: David Edmundson <kde@davidedmundson.co.uk>
Date: Sun, 28 Aug 2016 20:51:44 +0100
Subject: [PATCH] Allow a user to change their own password without admin

Introduces a new action with default state auth_self to be used by
SetPassword and SetPasswordMode when changing ones own password.
---
 data/org.freedesktop.accounts.policy.in | 10 ++++++++++
 src/user.c                              | 25 +++++++++++++++++++++++--
 2 files changed, 33 insertions(+), 2 deletions(-)

diff --git a/data/org.freedesktop.accounts.policy.in b/data/org.freedesktop.accounts.policy.in
index cbea82d..62cb452 100644
--- a/data/org.freedesktop.accounts.policy.in
+++ b/data/org.freedesktop.accounts.policy.in
@@ -17,6 +17,16 @@
     </defaults>
   </action>
 
+  <action id="org.freedesktop.accounts.change-own-user-data-restricted">
+    <_description>Change your own user password</_description>
+    <_message>Authentication is required to change your own user password</_message>
+    <defaults>
+      <allow_any>auth_self</allow_any>
+      <allow_inactive>auth_self</allow_inactive>
+      <allow_active>auth_self</allow_active>
+    </defaults>
+  </action>
+
   <action id="org.freedesktop.accounts.user-administration">
     <_description>Manage user accounts</_description>
     <_message>Authentication is required to change user data</_message>
diff --git a/src/user.c b/src/user.c
index b2ea4be..a67794c 100644
--- a/src/user.c
+++ b/src/user.c
@@ -1800,13 +1800,22 @@ user_set_password_mode (AccountsUser          *auser,
 {
         User *user = (User*)auser;
         const gchar *action_id;
+        gint uid;
 
         if (mode < 0 || mode > PASSWORD_MODE_LAST) {
                 throw_error (context, ERROR_FAILED, "unknown password mode: %d", mode);
                 return FALSE;
         }
 
-        action_id = "org.freedesktop.accounts.user-administration";
+        if (!get_caller_uid (context, &uid)) {
+                throw_error (context, ERROR_FAILED, "identifying caller failed");
+                return FALSE;
+        }
+
+        if (user->uid == (uid_t) uid)
+                action_id = "org.freedesktop.accounts.change-own-user-data-restricted";
+        else
+                action_id = "org.freedesktop.accounts.user-administration";
 
         daemon_local_check_auth (user->daemon,
                                  user,
@@ -1891,15 +1900,27 @@ user_set_password (AccountsUser          *auser,
 {
         User *user = (User*)auser;
         gchar **data;
+        const gchar *action_id;
+        gint uid;
+
+        if (!get_caller_uid (context, &uid)) {
+                throw_error (context, ERROR_FAILED, "identifying caller failed");
+                return FALSE;
+        }
 
         data = g_new (gchar *, 3);
         data[0] = g_strdup (password);
         data[1] = g_strdup (hint);
         data[2] = NULL;
 
+        if (user->uid == (uid_t) uid)
+                action_id = "org.freedesktop.accounts.change-own-user-data-restricted";
+        else
+                action_id = "org.freedesktop.accounts.user-administration";
+
         daemon_local_check_auth (user->daemon,
                                  user,
-                                 "org.freedesktop.accounts.user-administration",
+                                 action_id,
                                  TRUE,
                                  user_change_password_authorized_cb,
                                  context,
-- 
2.9.0