Bug 26473 - Respect PolicyKit privileges in can_{suspend,hibernate}
Summary: Respect PolicyKit privileges in can_{suspend,hibernate}
Alias: None
Product: upower
Classification: Unclassified
Component: general (show other bugs)
Version: unspecified
Hardware: All All
: medium normal
Assignee: Richard Hughes
QA Contact:
URL: https://launchpad.net/bugs/432598
Depends on:
Reported: 2010-02-08 08:27 UTC by Martin Pitt
Modified: 2010-02-09 02:46 UTC (History)
0 users

See Also:
i915 platform:
i915 features:

Add up_polkit_is_allowed() function (2.34 KB, patch)
2010-02-08 09:13 UTC, Martin Pitt
Details | Splinter Review
Add {Suspend,Hibernate}Allowed D-Bus methods (5.30 KB, patch)
2010-02-08 09:14 UTC, Martin Pitt
Details | Splinter Review
Check PolicyKit in client's can_{suspend,hibernate} properties (3.71 KB, patch)
2010-02-08 09:15 UTC, Martin Pitt
Details | Splinter Review
Add {Suspend,Hibernate}Allowed D-Bus methods (4.83 KB, patch)
2010-02-08 09:40 UTC, Martin Pitt
Details | Splinter Review

Description Martin Pitt 2010-02-08 08:27:49 UTC
Earlier gnome-power-manager releases had two gconf keys


to disable suspend/hibernate. Obviously this isn't a very clean approach. It would be much better if upower would actually take the policykit privileges into account for reporting the values to clients, so that gnome-power-prefs, gnome-session, and other clients would do the right thing and hide the suspend/hibernate options if the admin (or an OEM) disables those privileges through a .pkla file, or if the defaults simply change in the future.
Comment 1 Martin Pitt 2010-02-08 09:13:19 UTC
Created attachment 33161 [details] [review]
Add up_polkit_is_allowed() function

This is a prerequisite for the following patches:

Add a new polkit helper function up_polkit_is_allowed() which checks whether
the caller has or can get a particular privilege, but without interactive
Comment 2 Martin Pitt 2010-02-08 09:14:33 UTC
Created attachment 33162 [details] [review]
Add {Suspend,Hibernate}Allowed D-Bus methods

Add two D-Bus server methods to check whether the caller has the privilege to
suspend or hibernate.

We do that on the server side, since that already has everything set up for PolicyKit querying, instead of adding a new dependency and lots of new code to the client side.
Comment 3 Martin Pitt 2010-02-08 09:15:09 UTC
Created attachment 33163 [details] [review]
Check PolicyKit in client's can_{suspend,hibernate} properties

Check for PK privileges in UpClient's can_{suspend,hibernate} properties, so
that clients like gnome-session or gnome-power-manager hide the related actions
if the admin or OEM disabled suspend/hibernate through a PolicyKit .pkla file

$ cat /etc/polkit-1/localauthority/50-local.d/disable-suspend.pkla
[Disable suspend]
Comment 4 Martin Pitt 2010-02-08 09:18:45 UTC
I tested this with both devkit-power --dump and upower --dump, to check that both the old devkit-power-gobject as well as the new libupower-glib work.

The only gotcha with this approach is that the UpClient does not send out property change notifications if the PK privilege is changed, so enabling/disabling suspend/hibernate currently requires a session restart (in the case of long running clients like gnome-session).
Comment 5 Martin Pitt 2010-02-08 09:40:29 UTC
Created attachment 33164 [details] [review]
Add {Suspend,Hibernate}Allowed D-Bus methods

Fix previous patch: We do not need to check the kernel capability again, that's already being taken care of.

This patch needs to go after "Add up_polkit_is_allowed() function" and before "Check PolicyKit in client's can_{suspend,hibernate} properties".
Comment 6 Richard Hughes 2010-02-09 02:34:53 UTC
Looks good to me, please commit!

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.