thunderbolt: only try to enroll if we are allowed

Check via Polkit if the current user is actually allowed to enroll
devices before trying to do so. If not, show a notification that
explains that a system administrator needs to authorize the device.
Clicking on the notification will guide the user to the thunderbolt
control center panel. Before this patch, when the current user was
not allowed to enroll a device a polkit dialog would pop up which
is confusing because it did not contain any information why it was
shown. This patch implements the behavior as designed (see [1],
section "Multi-user environments").

[1] https://wiki.gnome.org/Design/Whiteboards/ThunderboltAccess
This commit is contained in:
Christian Kellner 2019-01-17 15:22:14 +01:00
parent df77fb6793
commit 1f864c905d

View File

@ -5,6 +5,7 @@
const Gio = imports.gi.Gio;
const GLib = imports.gi.GLib;
const Lang = imports.lang;
const Polkit = imports.gi.Polkit;
const Shell = imports.gi.Shell;
const Signals = imports.signals;
@ -256,6 +257,15 @@ var Indicator = new Lang.Class({
this._sync();
this._source = null;
this._perm = null;
Polkit.Permission.new('org.freedesktop.bolt.enroll', null, null, (source, res) => {
try {
this._perm = Polkit.Permission.new_finish(res);
} catch (e) {
log('Failed to get PolKit permission: %s'.format(e.toString()));
}
});
},
_onDestroy() {
@ -314,21 +324,33 @@ var Indicator = new Lang.Class({
/* AuthRobot callbacks */
_onEnrollDevice(obj, device, policy) {
let auth = !Main.sessionMode.isLocked && !Main.sessionMode.isGreeter;
/* only authorize new devices when in an unlocked user session */
let unlocked = !Main.sessionMode.isLocked && !Main.sessionMode.isGreeter;
/* and if we have the permission to do so, otherwise we trigger a PolKit dialog */
let allowed = this._perm && this._perm.allowed;
let auth = unlocked && allowed;
policy[0] = auth;
log("thunderbolt: [%s] auto enrollment: %s".format(device.Name, auth ? 'yes' : 'no'));
log(`thunderbolt: [${device.Name}] auto enrollment: ${auth ? 'yes' : 'no'} (allowed: ${allowed ? 'yes' : 'no'})`);
if (auth)
return; /* we are done */
const title = _('Unknown Thunderbolt device');
const body = _('New device has been detected while you were away. Please disconnect and reconnect the device to start using it.');
if (!unlocked) {
const title = _("Unknown Thunderbolt device");
const body = _("New device has been detected while you were away. Please disconnect and reconnect the device to start using it.");
this._notify(title, body);
} else {
const title = _("Unauthorized Thunderbolt device");
const body = _("New device has been detected and needs to be authorized by an administrator.");
this._notify(title, body);
}
},
_onEnrollFailed(obj, device, error) {
const title = _('Thunderbolt authorization error');
const body = _('Could not authorize the Thunderbolt device: %s'.format(error.message));
const title = _("Thunderbolt authorization error");
const body = _("Could not authorize the Thunderbolt device: %s".format(error.message));
this._notify(title, body);
}