Commit d5847d8d authored by Matthew Leeds's avatar Matthew Leeds Committed by Ray Strode

Check GDBusMessage for INTERACTIVE_AUTHORIZATION flag

Currently we always use the flag
POLKIT_CHECK_AUTHORIZATION_FLAGS_ALLOW_USER_INTERACTION when checking if
a subject is authorized for an action, meaning that we cause polkit to
create an interactive dialog box. However since GLib 2.46, there has
been a flag G_DBUS_MESSAGE_FLAGS_ALLOW_INTERACTIVE_AUTHORIZATION which
indicates if the caller is prepared to have the user authenticate (e.g.
it's a user-facing program not a daemon). So, check for this flag in
daemon_local_check_auth().

The impetus for this patch is that in the Endles fork of
gnome-control-center we use the library malcontent, and call
mct_manager_get_app_filter() even when we don't have permission to
actually read the user's app filter, since it shouldn't cause a dialog
without MCT_GET_APP_FILTER_FLAGS_INTERACTIVE being passed to it. However
because accountsservice doesn't respect
G_DBUS_MESSAGE_FLAGS_ALLOW_INTERACTIVE_AUTHORIZATION, polkit attempts to
create an auth dialog anyway (and hits an error but that's a separate
gnome-shell bug).

In libaccountsservice, we use code generated by gdbus-codegen to call
D-Bus methods implemented by the daemon, and that generated code
unconditionally uses G_DBUS_CALL_FLAGS_NONE, which would mean that users
of libaccountsservice can't use interactive auth. The solution is to
bump our GLib requirement to 2.63.5 (2.64 hasn't been released yet) and
pass --glib-min-required 2.64 to gdbus-codegen, which causes the
generated code to have two more arguments for each method call: one for
GDBusCallFlags and one for a timeout value.

For now we always use G_DBUS_CALL_FLAGS_ALLOW_INTERACTIVE_AUTHORIZATION
in libaccountsservice, to maintain compatibility. It might make sense to
add API in the future so that users of the library can specify if they
want to allow interactive auth.

This commit also makes us use
G_DBUS_CALL_FLAGS_ALLOW_INTERACTIVE_AUTHORIZATION for method calls
implemented by ConsoleKit, even though presumably no problems are caused
by the current behavior of using G_DBUS_CALL_FLAGS_NONE. In theory
ConsoleKit could check for
G_DBUS_MESSAGE_FLAGS_ALLOW_INTERACTIVE_AUTHORIZATION one day (although
in practice I think it's deprecated and inactive), and I think the whole
of libaccountsservice should assume interactive auth is allowed until we
have API to distinguish the no-interactive-auth case.
parent eb1cac46
Pipeline #106335 passed with stage
in 1 minute and 3 seconds