43fe83
From 74acebeb19b1c0c7a52998b7862806e26ea8fce8 Mon Sep 17 00:00:00 2001
43fe83
Message-Id: <74acebeb19b1c0c7a52998b7862806e26ea8fce8.1377873639.git.jdenemar@redhat.com>
43fe83
From: "Daniel P. Berrange" <berrange@redhat.com>
43fe83
Date: Fri, 30 Aug 2013 11:13:44 +0100
43fe83
Subject: [PATCH] Update polkit examples to use 'lookup' method
43fe83
43fe83
For
43fe83
43fe83
  https://bugzilla.redhat.com/show_bug.cgi?id=700443
43fe83
43fe83
Feedback from the polkit developers indicates that the
43fe83
"_detail_XXXX" attributes are a private implementation
43fe83
detail. Our examples should be recommending use of the
43fe83
"action.lookup('XXX')" method instead.
43fe83
43fe83
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
43fe83
(cherry picked from commit 7a7cb0934e25b9ac23cf9b2d318ac801604e0681)
43fe83
---
43fe83
 docs/aclpolkit.html.in | 18 ++++++++----------
43fe83
 1 file changed, 8 insertions(+), 10 deletions(-)
43fe83
43fe83
diff --git a/docs/aclpolkit.html.in b/docs/aclpolkit.html.in
43fe83
index 3f0689e..1a09139 100644
43fe83
--- a/docs/aclpolkit.html.in
43fe83
+++ b/docs/aclpolkit.html.in
43fe83
@@ -344,10 +344,8 @@
43fe83
       dealing with local clients connected via the UNIX socket).
43fe83
       On the action object, the permission name is
43fe83
       accessible via the id attribute, while the
43fe83
-      object identifying attributes are exposed via a set of
43fe83
-      attributes with the naming convention _detail_[attrname].
43fe83
-      For example, the 'domain_name' attribute would be exposed via
43fe83
-      a property _detail_domain_name.
43fe83
+      object identifying attributes are exposed via the
43fe83
+      lookup method.
43fe83
     

43fe83
 
43fe83
     

Example: restricting ability to connect to drivers

43fe83
@@ -359,7 +357,7 @@
43fe83
       use the QEMU driver and not the Xen or LXC
43fe83
       drivers which are also available in libvirtd.
43fe83
       To achieve this we need to write a rule which checks
43fe83
-      whether the _detail_connect_driver attribute
43fe83
+      whether the connect_driver attribute
43fe83
       is QEMU, and match on an action
43fe83
       name of org.libvirt.api.connect.getattr. Using
43fe83
       the javascript rules format, this ends up written as
43fe83
@@ -369,7 +367,7 @@
43fe83
 polkit.addRule(function(action, subject) {
43fe83
     if (action.id == "org.libvirt.api.connect.getattr" &&
43fe83
         subject.user == "berrange") {
43fe83
-          if (action._detail_connect_driver == 'QEMU') {
43fe83
+          if (action.lookup("connect_driver") == 'QEMU') {
43fe83
             return polkit.Result.YES;
43fe83
           } else {
43fe83
             return polkit.Result.NO;
43fe83
@@ -386,8 +384,8 @@ polkit.addRule(function(action, subject) {
43fe83
       full read-write mode. The goal is to only allow them to
43fe83
       see the domain called demo on the LXC driver.
43fe83
       To achieve this we need to write a rule which checks
43fe83
-      whether the _detail_connect_driver attribute
43fe83
-      is LXC and the _detail_domain_name
43fe83
+      whether the connect_driver attribute
43fe83
+      is LXC and the domain_name
43fe83
       attribute is demo, and match on a action
43fe83
       name of org.libvirt.api.domain.getattr. Using
43fe83
       the javascript rules format, this ends up written as
43fe83
@@ -397,8 +395,8 @@ polkit.addRule(function(action, subject) {
43fe83
 polkit.addRule(function(action, subject) {
43fe83
     if (action.id == "org.libvirt.api.domain.getattr" &&
43fe83
         subject.user == "berrange") {
43fe83
-          if (action._detail_connect_driver == 'LXC' &&
43fe83
-              action._detail_domain_name == 'demo') {
43fe83
+          if (action.lookup("connect_driver") == 'LXC' &&
43fe83
+              action.lookup("domain_name") == 'demo') {
43fe83
             return polkit.Result.YES;
43fe83
           } else {
43fe83
             return polkit.Result.NO;
43fe83
-- 
43fe83
1.8.3.2
43fe83