Comment 29 for bug 1008344

We have an application which shows an "Apply system-wide" button depending whether or not the user is an administrator. Right now we define this in terms of being in the "admin" Unix group, and define the default polkit rules so that "admin" group members are admins.

We would like to move this check from group membership to directly asking polkit, as this is more robust when e. g. customizing the polkit configuration for remote authorizations.

The problem is, the current API for checking if a process can get authorized for a particular action (i. e. polkit_authority_check_authorization()) has no way of distinguishing if it's the current user who can authenticate, or whether any admin of the system can. I. e. if the policy is "auth_admin", then this call, or pkcheck will always say "Authorization requires authentication and -u wasn't passed.".

It would be nice if there was either a detail (like polkit_user_denied=1) in the returned PolkitDetails which would point that out, or there was a flag like POLKIT_CHECK_AUTHORIZATION_FLAGS_CALLING_USER_ONLY which would say "no" if the calling user is not able to authenticate with her credentials.

The agent obviously has access to that information, as it will ask for the user's password if the user itself is an admin, or present a list of admins if not. But I don't see this exposed anywhere towards the client.