Bug 60103

Summary: Add API to query if the calling user can authenticate
Product: PolicyKit Reporter: Martin Pitt <martin.pitt>
Component: daemonAssignee: David Zeuthen (not reading bugmail) <zeuthen>
Status: RESOLVED MOVED QA Contact: David Zeuthen (not reading bugmail) <zeuthen>
Severity: normal    
Priority: medium    
Version: unspecified   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:

Description Martin Pitt 2013-01-31 06:53:34 UTC 
We have an application which shows an "Apply system-wide" button depending whether or not the user is an administrator. Right now we define this in terms of being in the "admin" Unix group, and define the default polkit rules so that "admin" group members are admins.

We would like to move this check from group membership to directly asking polkit, as this is more robust when e. g. customizing the polkit configuration for remote authorizations.

The problem is, the current API for checking if a process can get authorized for a particular action (i. e. polkit_authority_check_authorization()) has no way of distinguishing if it's the current user who can authenticate, or whether any admin of the system can. I. e. if the policy is "auth_admin", then this call, or pkcheck will always say "Authorization requires authentication and -u wasn't passed.".

It would be nice if there was either a detail (like polkit_user_denied=1) in the returned PolkitDetails which would point that out, or there was a flag like  POLKIT_CHECK_AUTHORIZATION_FLAGS_CALLING_USER_ONLY which would say "no" if the calling user is not able to authenticate with her credentials.

The agent obviously has access to that information, as it will ask for the user's password if the user itself is an admin, or present a list of admins if not. But I don't see this exposed anywhere towards the client.
Comment 1 GitLab Migration User 2018-08-20 21:35:35 UTC 
-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/polkit/polkit/issues/26.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.