device: Do not require authentication for release/stop

If someone has started an operation, then we don't really need to confirm they are permitted to stop it again. Not doing this has the advantage that we cannot run into a second interactive authorization step accidentally.
2026-04-08 20:03:34 +02:00 · 2020-12-04 14:56:57 +01:00
parent 583cd870d8
commit fc7e4d0e5c
2 changed files with 9 additions and 26 deletions
--- a/src/device.c
+++ b/src/device.c
@ -484,17 +484,17 @@ get_permissions_for_invocation (GDBusMethodInvocation *invocation)
 		required_perms |= FPRINT_DEVICE_PERMISSION_ENROLL;
 	} else if (g_str_equal (method_name, "EnrollStart")) {
 		required_perms |= FPRINT_DEVICE_PERMISSION_ENROLL;
-	} else if (g_str_equal (method_name, "EnrollStop")) {
-		required_perms |= FPRINT_DEVICE_PERMISSION_ENROLL;
 	} else if (g_str_equal (method_name, "ListEnrolledFingers")) {
 		required_perms |= FPRINT_DEVICE_PERMISSION_VERIFY;
-	} else if (g_str_equal (method_name, "Release")) {
-		required_perms |= FPRINT_DEVICE_PERMISSION_VERIFY;
-		required_perms |= FPRINT_DEVICE_PERMISSION_ENROLL;
 	} else if (g_str_equal (method_name, "VerifyStart")) {
 		required_perms |= FPRINT_DEVICE_PERMISSION_VERIFY;
+	} else if (g_str_equal (method_name, "Release")) {
+	} else if (g_str_equal (method_name, "EnrollStop")) {
 	} else if (g_str_equal (method_name, "VerifyStop")) {
-		required_perms |= FPRINT_DEVICE_PERMISSION_VERIFY;
+		/* Don't require permissiong for for release/stop operations.
+		 * We are authenticated already if we could start, and we don't
+		 * want to end up authorizing interactively again.
+		 */
 	} else {
 		g_assert_not_reached ();
 	}
--- a/tests/fprintd.py
+++ b/tests/fprintd.py
@ -637,20 +637,11 @@ class FPrintdVirtualDeviceTest(FPrintdVirtualDeviceBaseTest):

        self.device.Release()

-    def test_unallowed_release(self):
+    def test_always_allowed_release(self):
        self.device.Claim('(s)', 'testuser')

        self._polkitd_obj.SetAllowed([''])

-        with self.assertFprintError('PermissionDenied'):
-            self.device.Release()
-
-        self._polkitd_obj.SetAllowed(['net.reactivated.fprint.device.setusername'])
-
-        with self.assertFprintError('PermissionDenied'):
-            self.device.Release()
-
-        self._polkitd_obj.SetAllowed(['net.reactivated.fprint.device.enroll'])
        self.device.Release()

    def test_unclaimed_release(self):
@ -1000,15 +991,11 @@ class FPrintdVirtualDeviceClaimedTest(FPrintdVirtualDeviceBaseTest):
        self._polkitd_obj.SetAllowed(['net.reactivated.fprint.device.enroll'])
        self.enroll_image('whorl')

-    def test_unallowed_enroll_stop(self):
+    def test_always_allowed_enroll_stop(self):
        self.device.EnrollStart('(s)', 'right-index-finger')

        self._polkitd_obj.SetAllowed([''])

-        with self.assertFprintError('PermissionDenied'):
-            self.device.EnrollStop()
-
-        self._polkitd_obj.SetAllowed(['net.reactivated.fprint.device.enroll'])
        self.device.EnrollStop()

    def test_unallowed_verify_start(self):
@ -1017,15 +1004,11 @@ class FPrintdVirtualDeviceClaimedTest(FPrintdVirtualDeviceBaseTest):
        with self.assertFprintError('PermissionDenied'):
            self.device.VerifyStart('(s)', 'any')

-    def test_unallowed_verify_stop(self):
+    def test_always_allowed_verify_stop(self):
        self.enroll_image('whorl')
        self.device.VerifyStart('(s)', 'any')

        self._polkitd_obj.SetAllowed([''])
-        with self.assertFprintError('PermissionDenied'):
-            self.device.VerifyStop()
-
-        self._polkitd_obj.SetAllowed(['net.reactivated.fprint.device.verify'])
        self.device.VerifyStop()

    def test_list_enrolled_fingers_current_user(self):