On Thu, 2009-07-16 at 09:53 +0100, Richard Hughes wrote: > > It of course make a lot of sense to return a message to the user about > > _what_ failed and _why_. But polkit should already tell you this - e.g. > > there are basically only three possible answers from polkit when you use > > the ALLOW_USER_INTERACTION flag > > > > o No, the user is not authorized > > > > o Yes, the user is authorized > > > > o The authorization check was cancelled > > (either by your own mechanism cancelling the check or by the user > > dismissing the authentication dialog)
Just checked, you only get org.freedesktop.PolicyKit1.Error.Cancelled if you cancel the check yourself. If the user dismisses the dialog OR if fails to authenticate (the gnome authentication agent only allows three tries) you are just told the user is not authorized. I remember changing the behavior to this some time ago. > This is what I don't understand. I understand that the output of > polkit_authorization_result_get_is_authorized is boolean, which > corresponds to the No and Yes actions. I also understand I can check > the GCancellable to find out if the mechanism cancelled the > authentication, FWIW, it's easier to just check if you got the .Cancelled error which in libpolkit-gobject-1 translates to the POLKIT_ERROR_CANCELLED error code in the GError. > but I don't know how to find out if the user dismissed > the authentication dialog, or if the session authentication agent > simply doesn't exist. If no authentication agent exists (or if you don't pass the ALLOW_USER_INTERACTION flag) and the user could have obtained authorization through authentication, then the get_is_challenge() method on PolkitAuthorizationResult will return TRUE. > I'm getting a few bugs where the polkit-gnome-authentication-agent-1 > process isn't running, and we can't show anything helpful to the user > in this case. I'm not sure exactly what you think should be different in how polkit works. Any concrete suggestions? FWIW, I don't think the mechanism should care about whether an authentication agent is available, whether the user dismissed the dialog or just failed to authenticate or other _implementation_ details. In fact, the system may be using an Authority Implementation that doesn't even allow obtaining authorization through authentication. The point is really that you can't make a lot of assumptions about how the Authority implementation works. > Maybe polkit-gnome-authentication-agent-1 should > register a well known name on the session bus, and gnome-packagekit > client tools should check for this service. I'm not sure. Ideas > welcome. Don't think this is a good idea - it would also break things like fast-user switching. I just don't see why the PackageKit mechanism or the GNOME PackageKit client tools need to care about whether an authentication agent exists at all... Thanks, David _______________________________________________ polkit-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/polkit-devel
