[gnome-shell] thunderbolt: only try to enroll if we are allowed

[Florian Müllner <fmuellner src gnome org>]

commit 1f864c905d3eb0957c451d3ff4654a5f7ab7c54c
Author: Christian Kellner <christian kellner me>
Date:   Thu Jan 17 15:22:14 2019 +0100

    thunderbolt: only try to enroll if we are allowed
    
    Check via Polkit if the current user is actually allowed to enroll
    devices before trying to do so. If not, show a notification that
    explains that a system administrator needs to authorize the device.
    Clicking on the notification will guide the user to the thunderbolt
    control center panel. Before this patch, when the current user was
    not allowed to enroll a device a polkit dialog would pop up which
    is confusing because it did not contain any information why it was
    shown. This patch implements the behavior as designed (see [1],
    section "Multi-user environments").
    
    [1] https://wiki.gnome.org/Design/Whiteboards/ThunderboltAccess

 js/ui/status/thunderbolt.js | 36 +++++++++++++++++++++++++++++-------
 1 file changed, 29 insertions(+), 7 deletions(-)
---
diff --git a/js/ui/status/thunderbolt.js b/js/ui/status/thunderbolt.js
index 3d7a9614a..1f873c166 100644
--- a/js/ui/status/thunderbolt.js
+++ b/js/ui/status/thunderbolt.js
@@ -5,6 +5,7 @@
 const Gio = imports.gi.Gio;
 const GLib = imports.gi.GLib;
 const Lang = imports.lang;
+const Polkit = imports.gi.Polkit;
 const Shell = imports.gi.Shell;
 const Signals = imports.signals;
 
@@ -256,6 +257,15 @@ var Indicator = new Lang.Class({
         this._sync();
 
        this._source = null;
+        this._perm = null;
+
+        Polkit.Permission.new('org.freedesktop.bolt.enroll', null, null, (source, res) => {
+            try {
+                this._perm = Polkit.Permission.new_finish(res);
+            } catch (e) {
+                log('Failed to get PolKit permission: %s'.format(e.toString()));
+            }
+        });
     },
 
     _onDestroy() {
@@ -314,21 +324,33 @@ var Indicator = new Lang.Class({
 
     /* AuthRobot callbacks */
     _onEnrollDevice(obj, device, policy) {
-       let auth = !Main.sessionMode.isLocked && !Main.sessionMode.isGreeter;
+        /* only authorize new devices when in an unlocked user session */
+       let unlocked = !Main.sessionMode.isLocked && !Main.sessionMode.isGreeter;
+        /* and if we have the permission to do so, otherwise we trigger a PolKit dialog */
+        let allowed = this._perm && this._perm.allowed;
+
+        let auth = unlocked && allowed;
        policy[0] = auth;
 
-       log("thunderbolt: [%s] auto enrollment: %s".format(device.Name, auth ? 'yes' : 'no'));
+        log(`thunderbolt: [${device.Name}] auto enrollment: ${auth ? 'yes' : 'no'} (allowed: ${allowed ? 
'yes' : 'no'})`);
+
        if (auth)
            return; /* we are done */
 
-       const title = _('Unknown Thunderbolt device');
-       const body = _('New device has been detected while you were away. Please disconnect and reconnect the 
device to start using it.');
-       this._notify(title, body);
+        if (!unlocked) {
+           const title = _("Unknown Thunderbolt device");
+           const body = _("New device has been detected while you were away. Please disconnect and reconnect 
the device to start using it.");
+           this._notify(title, body);
+        } else {
+            const title = _("Unauthorized Thunderbolt device");
+           const body = _("New device has been detected and needs to be authorized by an administrator.");
+           this._notify(title, body);
+        }
     },
 
     _onEnrollFailed(obj, device, error) {
-       const title = _('Thunderbolt authorization error');
-       const body = _('Could not authorize the Thunderbolt device: %s'.format(error.message));
+       const title = _("Thunderbolt authorization error");
+       const body = _("Could not authorize the Thunderbolt device: %s".format(error.message));
        this._notify(title, body);
     }