diff options
| author | David Zeuthen <zeuthen@gmail.com> | 2012-06-07 10:35:07 -0400 |
|---|---|---|
| committer | David Zeuthen <zeuthen@gmail.com> | 2012-06-07 10:35:07 -0400 |
| commit | d81f4d16ab96c4084bf20c7174ac6fb16f69c402 (patch) | |
| tree | 60b3392cd8a5b67c540d12ca48458e15471f7847 | |
| parent | 3d007cbc5d4a1560cdcca08b5ca0401371fc7b77 (diff) | |
| download | polkit-d81f4d16ab96c4084bf20c7174ac6fb16f69c402.tar.gz | |
Mention the implications of returning *_keep in an authorization rule
Pointed out by Dan Williams <dcbw@redhat.com> on IRC.
Signed-off-by: David Zeuthen <zeuthen@gmail.com>
| -rw-r--r-- | docs/man/polkit.xml | 20 |
1 files changed, 18 insertions, 2 deletions
diff --git a/docs/man/polkit.xml b/docs/man/polkit.xml index a055707..d48b1a0 100644 --- a/docs/man/polkit.xml +++ b/docs/man/polkit.xml @@ -367,11 +367,11 @@ System Context | | <term><literal>auth_self_keep</literal></term> <listitem><para>Like <literal>auth_self</literal> but the authorization is kept for a brief - period.</para></listitem> + period (e.g. five minutes).</para></listitem> </varlistentry> <varlistentry> <term><literal>auth_admin_keep</literal></term> - <listitem><para>Like <literal>auth_admin</literal> but the authorization is kept for a brief period.</para></listitem> + <listitem><para>Like <literal>auth_admin</literal> but the authorization is kept for a brief period (e.g. five minutes).</para></listitem> </varlistentry> </variablelist> </listitem> @@ -564,6 +564,22 @@ System Context | | </para> <para> + Keep in mind that if <literal>"auth_self_keep"</literal> or + <literal>"auth_admin_keep"</literal> is returned, + authorization checks for the same action identifier and + subject will succeed (that is, return "yes") for the next + brief period (e.g. five minutes) <emphasis>even</emphasis> if + the variables passed along with the check are + different. Therefore, if the result of an authorization rule + depend on such variables, it should not use the + <literal>"*_keep"</literal> variants (if similar functionality + is required, the authorization rule can easily implement + temporary authorizations using the + <ulink url="https://developer.mozilla.org/en/JavaScript/Reference/Global_Objects/Date"><type>Date</type></ulink> + type for timestamps). + </para> + + <para> The <function>addAdminRule()</function> method is used for adding a function may be called whenever administrator authentication is required. The function is used to specify what |