Earlier gnome-power-manager releases had two gconf keys /apps/gnome-power-manager/general/can_hibernate /apps/gnome-power-manager/general/can_suspend to disable suspend/hibernate. Obviously this isn't a very clean approach. It would be much better if upower would actually take the policykit privileges into account for reporting the values to clients, so that gnome-power-prefs, gnome-session, and other clients would do the right thing and hide the suspend/hibernate options if the admin (or an OEM) disables those privileges through a .pkla file, or if the defaults simply change in the future.
Created attachment 33161 [details] [review] Add up_polkit_is_allowed() function This is a prerequisite for the following patches: Add a new polkit helper function up_polkit_is_allowed() which checks whether the caller has or can get a particular privilege, but without interactive authentication.
Created attachment 33162 [details] [review] Add {Suspend,Hibernate}Allowed D-Bus methods Add two D-Bus server methods to check whether the caller has the privilege to suspend or hibernate. We do that on the server side, since that already has everything set up for PolicyKit querying, instead of adding a new dependency and lots of new code to the client side.
Created attachment 33163 [details] [review] Check PolicyKit in client's can_{suspend,hibernate} properties Check for PK privileges in UpClient's can_{suspend,hibernate} properties, so that clients like gnome-session or gnome-power-manager hide the related actions if the admin or OEM disabled suspend/hibernate through a PolicyKit .pkla file like $ cat /etc/polkit-1/localauthority/50-local.d/disable-suspend.pkla [Disable suspend] Identity=unix-user:* Action=org.freedesktop.upower.suspend ResultActive=no ResultAny=no
I tested this with both devkit-power --dump and upower --dump, to check that both the old devkit-power-gobject as well as the new libupower-glib work. The only gotcha with this approach is that the UpClient does not send out property change notifications if the PK privilege is changed, so enabling/disabling suspend/hibernate currently requires a session restart (in the case of long running clients like gnome-session).
Created attachment 33164 [details] [review] Add {Suspend,Hibernate}Allowed D-Bus methods Fix previous patch: We do not need to check the kernel capability again, that's already being taken care of. This patch needs to go after "Add up_polkit_is_allowed() function" and before "Check PolicyKit in client's can_{suspend,hibernate} properties".
Looks good to me, please commit!
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.