Blob Blame History Raw
From 74acebeb19b1c0c7a52998b7862806e26ea8fce8 Mon Sep 17 00:00:00 2001
Message-Id: <74acebeb19b1c0c7a52998b7862806e26ea8fce8.1377873639.git.jdenemar@redhat.com>
From: "Daniel P. Berrange" <berrange@redhat.com>
Date: Fri, 30 Aug 2013 11:13:44 +0100
Subject: [PATCH] Update polkit examples to use 'lookup' method

For

  https://bugzilla.redhat.com/show_bug.cgi?id=700443

Feedback from the polkit developers indicates that the
"_detail_XXXX" attributes are a private implementation
detail. Our examples should be recommending use of the
"action.lookup('XXX')" method instead.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
(cherry picked from commit 7a7cb0934e25b9ac23cf9b2d318ac801604e0681)
---
 docs/aclpolkit.html.in | 18 ++++++++----------
 1 file changed, 8 insertions(+), 10 deletions(-)

diff --git a/docs/aclpolkit.html.in b/docs/aclpolkit.html.in
index 3f0689e..1a09139 100644
--- a/docs/aclpolkit.html.in
+++ b/docs/aclpolkit.html.in
@@ -344,10 +344,8 @@
       dealing with local clients connected via the UNIX socket).
       On the <code>action</code> object, the permission name is
       accessible via the <code>id</code> attribute, while the
-      object identifying attributes are exposed via a set of
-      attributes with the naming convention <code>_detail_[attrname]</code>.
-      For example, the 'domain_name' attribute would be exposed via
-      a property <code>_detail_domain_name</code>.
+      object identifying attributes are exposed via the
+      <code>lookup</code> method.
     </p>
 
     <h3><a name="exconnect">Example: restricting ability to connect to drivers</a></h3>
@@ -359,7 +357,7 @@
       use the <code>QEMU</code> driver and not the Xen or LXC
       drivers which are also available in libvirtd.
       To achieve this we need to write a rule which checks
-      whether the <code>_detail_connect_driver</code> attribute
+      whether the <code>connect_driver</code> attribute
       is <code>QEMU</code>, and match on an action
       name of <code>org.libvirt.api.connect.getattr</code>. Using
       the javascript rules format, this ends up written as
@@ -369,7 +367,7 @@
 polkit.addRule(function(action, subject) {
     if (action.id == "org.libvirt.api.connect.getattr" &amp;&amp;
         subject.user == "berrange") {
-          if (action._detail_connect_driver == 'QEMU') {
+          if (action.lookup("connect_driver") == 'QEMU') {
             return polkit.Result.YES;
           } else {
             return polkit.Result.NO;
@@ -386,8 +384,8 @@ polkit.addRule(function(action, subject) {
       full read-write mode. The goal is to only allow them to
       see the domain called <code>demo</code> on the LXC driver.
       To achieve this we need to write a rule which checks
-      whether the <code>_detail_connect_driver</code> attribute
-      is <code>LXC</code> and the <code>_detail_domain_name</code>
+      whether the <code>connect_driver</code> attribute
+      is <code>LXC</code> and the <code>domain_name</code>
       attribute is <code>demo</code>, and match on a action
       name of <code>org.libvirt.api.domain.getattr</code>. Using
       the javascript rules format, this ends up written as
@@ -397,8 +395,8 @@ polkit.addRule(function(action, subject) {
 polkit.addRule(function(action, subject) {
     if (action.id == "org.libvirt.api.domain.getattr" &amp;&amp;
         subject.user == "berrange") {
-          if (action._detail_connect_driver == 'LXC' &amp;&amp;
-              action._detail_domain_name == 'demo') {
+          if (action.lookup("connect_driver") == 'LXC' &amp;&amp;
+              action.lookup("domain_name") == 'demo') {
             return polkit.Result.YES;
           } else {
             return polkit.Result.NO;
-- 
1.8.3.2