Enforce command policies

author: Drew DeVault <[email protected]> 2016-12-02 08:17:45 -0500
committer: Drew DeVault <[email protected]> 2016-12-02 08:17:45 -0500
commit: 39cf9a82f7c1f7e5d7b4952cabf215c8459a99e2 (patch)
tree: 267efa5b40f7272bdfec16eac054961df6f4d417 /sway/commands.c
parent: f23880b1fdd70a21b04317c18208a1f3ce356839 (diff)
1 files changed, 11 insertions, 1 deletions
diff --git a/sway/commands.c b/sway/commands.c
index 0bfe9d13..5d5087b1 100644
--- a/sway/commands.c
+++ b/sway/commands.c
@@ -323,7 +323,7 @@ static struct cmd_handler *find_handler(char *line, enum cmd_status block) {
 	return res;
 }
 
-struct cmd_results *handle_command(char *_exec) {
+struct cmd_results *handle_command(char *_exec, enum command_context context) {
 	// Even though this function will process multiple commands we will only
 	// return the last error, if any (for now). (Since we have access to an
 	// error string we could e.g. concatonate all errors there.)
@@ -397,6 +397,16 @@ struct cmd_results *handle_command(char *_exec) {
 				free_argv(argc, argv);
 				goto cleanup;
 			}
+			if (!(get_command_policy(argv[0]) & context)) {
+				if (results) {
+					free_cmd_results(results);
+				}
+				results = cmd_results_new(CMD_INVALID, cmd,
+						"Permission denied for %s via %s", cmd,
+						command_policy_str(context));
+				free_argv(argc, argv);
+				goto cleanup;
+			}
 			struct cmd_results *res = handler->handle(argc-1, argv+1);
 			if (res->status != CMD_SUCCESS) {
 				free_argv(argc, argv);
author	Drew DeVault <[email protected]>	2016-12-02 08:17:45 -0500
committer	Drew DeVault <[email protected]>	2016-12-02 08:17:45 -0500
commit	39cf9a82f7c1f7e5d7b4952cabf215c8459a99e2 (patch)
tree	267efa5b40f7272bdfec16eac054961df6f4d417 /sway/commands.c
parent	f23880b1fdd70a21b04317c18208a1f3ce356839 (diff)