GNOME Bugzilla – Bug 681762
Support a locked down mode for the user accounts panel
Last modified: 2021-06-09 16:25:19 UTC
When locked down user accounts panel is enabled: * The left side list is not shown, which implies no adding/removing users. * Not possible to change settings for any other users. * The panel should be called 'User Account' instead of 'User Accounts' This lock down is conceptually separate from the abilities of the 'Account Type'.
I'm working on it.
Created attachment 222928 [details] [review] locked down mode support
Created attachment 222929 [details] locked down mode screenshot
"When locked down user accounts panel is enabled" which we check for how? I was under the impression that it was really a separate panel, because we'd also need to change the desktop file/launcher icon in the overview.
I have thought that the locked down mode means simply the locked user accounts panel, doesn't it?
Looking at https://live.gnome.org/Design/Proposals/UserIdentities I believe what is meant with 'locked down mode' here is a scenario where the machine is enrolled in AD and local user accounts are not allowed at all.
Yep, so not the scenario handled by the patch here.
Comment on attachment 222928 [details] [review] locked down mode support Marking the patch as rejected, as I think we want a completely separate panel (even if there is code-sharing).
(In reply to comment #7) > Yep, so not the scenario handled by the patch here. Indeed, so idea is create panel for non-local users with information only about its account with no possibilities to manipulate with other users. (In reply to comment #8) > (From update of attachment 222928 [details] [review]) > Marking the patch as rejected, as I think we want a completely separate panel > (even if there is code-sharing). Ok, I'll try to do that as a separate panel with new desktop file. However I don't understand will be there in g-c-c afterwards two icons "User Accounts" and "User Account", or how it will be determined which icon should be shown?
(In reply to comment #9) > (In reply to comment #7) > > Yep, so not the scenario handled by the patch here. > > Indeed, so idea is create panel for non-local users with information only about > its account with no possibilities to manipulate with other users. Nod. > (In reply to comment #8) > > (From update of attachment 222928 [details] [review] [details]) > > Marking the patch as rejected, as I think we want a completely separate panel > > (even if there is code-sharing). > > Ok, I'll try to do that as a separate panel with new desktop file. Cool. > However I don't understand will be there in g-c-c afterwards two icons "User > Accounts" and "User Account", or how it will be determined which icon should be > shown? I really don't know, we'll have to ask Stef about this. I think that it's not very important as long as bug 681753 is opened.
(In reply to comment #10) > > However I don't understand will be there in g-c-c afterwards two icons "User > > Accounts" and "User Account", or how it will be determined which icon should be > > shown? > > I really don't know, we'll have to ask Stef about this. I think that it's not > very important as long as bug 681753 is opened. It'll be determined by a dconf setting and the Lockdown (ie: pessulus) editor. But it's not very firm yet. This is so than Enterprise administrators can avoid confusing users with unnecessary options in a workstation style environment.
Created attachment 224634 [details] [review] locked down mode support The patch add separate user account panel with new desktop file for lock down mode. Almost all functionality is removed according mockup. However hiding mechanism is missing.
(In reply to comment #11) > (In reply to comment #10) > > > However I don't understand will be there in g-c-c afterwards two icons "User > > > Accounts" and "User Account", or how it will be determined which icon should be > > > shown? > > > > I really don't know, we'll have to ask Stef about this. I think that it's not > > very important as long as bug 681753 is opened. > > It'll be determined by a dconf setting and the Lockdown (ie: pessulus) editor. > But it's not very firm yet. This is so than Enterprise administrators can avoid > confusing users with unnecessary options in a workstation style environment. Does the dconf setting exists for the lockdown yet? What is the best way to hide unnecessary desktop file in gnome-control-center and also in gnome-shell?
(In reply to comment #13) > Does the dconf setting exists for the lockdown yet? I don't think so. Usually the various modules (like gnome-control-center) define dconf settings, than dconf lockdown stuff can then drive. > What is the best way to hide unnecessary desktop file in gnome-control-center > and also in gnome-shell? No idea here.
Review of attachment 224634 [details] [review]: Rest looks alright. Obviously missing the way to hide it still. ::: panels/user-accounts/Makefile.am @@ +76,3 @@ + um-user-panel.c \ + um-user-module.c \ + $(COMMON_SOURCES) Use a noinst_LTLIBRARIES = ... to define the common parts. Then link each of the 2 versions to that library. That saves us having to compile I don't know how many source files twice. ::: panels/user-accounts/data/gnome-user-account-panel.desktop.in.in @@ +1,3 @@ +[Desktop Entry] +_Name=User Account +_Comment=Edit your account Can you actually edit anything here?
(In reply to comment #13) > (In reply to comment #11) > > (In reply to comment #10) > > > > However I don't understand will be there in g-c-c afterwards two icons "User > > > > Accounts" and "User Account", or how it will be determined which icon should be > > > > shown? > > > > > > I really don't know, we'll have to ask Stef about this. I think that it's not > > > very important as long as bug 681753 is opened. > > > > It'll be determined by a dconf setting and the Lockdown (ie: pessulus) editor. > > But it's not very firm yet. This is so than Enterprise administrators can avoid > > confusing users with unnecessary options in a workstation style environment. > > Does the dconf setting exists for the lockdown yet? Nope. File a bug (with a patch ;) against gsettings-desktop-schemas. > What is the best way to hide unnecessary desktop file in gnome-control-center > and also in gnome-shell? We don't have a way right now. See bug 650699. I'll add comments there.
Created attachment 224814 [details] [review] locked down mode support The library with common source code has been added.
(In reply to comment #15) > Review of attachment 224634 [details] [review]: > ::: panels/user-accounts/data/gnome-user-account-panel.desktop.in.in > @@ +1,3 @@ > +[Desktop Entry] > +_Name=User Account > +_Comment=Edit your account > > Can you actually edit anything here? Why I can't? It is a newly added desktop file for the lockdown mode. diff data/gnome-user-accounts-panel.desktop.in.in data/gnome-user-account-panel.desktop.in.in 2,4c2,4 < _Name=User Accounts < _Comment=Add or remove users < Exec=gnome-control-center user-accounts --- > _Name=User Account > _Comment=Edit your account > Exec=gnome-control-center user-account 15c15 < X-GNOME-Settings-Panel=user-accounts --- > X-GNOME-Settings-Panel=user-account
(In reply to comment #16) > (In reply to comment #13) > > (In reply to comment #11) > > > (In reply to comment #10) > > > > > However I don't understand will be there in g-c-c afterwards two icons "User > > > > > Accounts" and "User Account", or how it will be determined which icon should be > > > > > shown? > > > > > > > > I really don't know, we'll have to ask Stef about this. I think that it's not > > > > very important as long as bug 681753 is opened. > > > > > > It'll be determined by a dconf setting and the Lockdown (ie: pessulus) editor. > > > But it's not very firm yet. This is so than Enterprise administrators can avoid > > > confusing users with unnecessary options in a workstation style environment. > > > > Does the dconf setting exists for the lockdown yet? > > Nope. File a bug (with a patch ;) against gsettings-desktop-schemas. Ok, I'll file a bug. > > What is the best way to hide unnecessary desktop file in gnome-control-center > > and also in gnome-shell? > > We don't have a way right now. See bug 650699. I'll add comments there. Thanks, I'll see there.
(In reply to comment #18) > (In reply to comment #15) > > Review of attachment 224634 [details] [review] [details]: > > ::: panels/user-accounts/data/gnome-user-account-panel.desktop.in.in > > @@ +1,3 @@ > > +[Desktop Entry] > > +_Name=User Account > > +_Comment=Edit your account > > > > Can you actually edit anything here? > > Why I can't? It is a newly added desktop file for the lockdown mode. What's editable? The avatar? The password? You might want to change the Comment line to be more precise.
(In reply to comment #20) > (In reply to comment #18) > > (In reply to comment #15) > > > Review of attachment 224634 [details] [review] [details] [details]: > > > ::: panels/user-accounts/data/gnome-user-account-panel.desktop.in.in > > > @@ +1,3 @@ > > > +[Desktop Entry] > > > +_Name=User Account > > > +_Comment=Edit your account > > > > > > Can you actually edit anything here? > > > > Why I can't? It is a newly added desktop file for the lockdown mode. > > What's editable? The avatar? The password? You might want to change the Comment > line to be more precise. Sorry for misunderstanding, I'll fix the comment line. I have removed almost all functionality as it is in the mockup https://live.gnome.org/Design/Proposals/UserIdentities and the first comment https://bugzilla.gnome.org/show_bug.cgi?id=681762#c0 excepted password changing, or should I have left there any other (eg. avatar)?
(In reply to comment #16) > (In reply to comment #13) > > (In reply to comment #11) > > > (In reply to comment #10) > > > > > However I don't understand will be there in g-c-c afterwards two icons "User > > > > > Accounts" and "User Account", or how it will be determined which icon should be > > > > > shown? > > > > > > > > I really don't know, we'll have to ask Stef about this. I think that it's not > > > > very important as long as bug 681753 is opened. > > > > > > It'll be determined by a dconf setting and the Lockdown (ie: pessulus) editor. > > > But it's not very firm yet. This is so than Enterprise administrators can avoid > > > confusing users with unnecessary options in a workstation style environment. > > > > Does the dconf setting exists for the lockdown yet? > > Nope. File a bug (with a patch ;) against gsettings-desktop-schemas. It's there: https://bugzilla.gnome.org/show_bug.cgi?id=684444
Created attachment 224825 [details] [review] locked down mode support Attached patch with more precious comment line in the desktop file.
Review of attachment 224825 [details] [review]: Thanks Ondrej. I'm not sure this patch is desired anymore, but it doesn't apply on master anyway, so I'm marking the patch as needs-work.
GNOME is going to shut down bugzilla.gnome.org in favor of gitlab.gnome.org. As part of that, we are mass-closing older open tickets in bugzilla.gnome.org which have not seen updates for a longer time (resources are unfortunately quite limited so not every ticket can get handled). If you can still reproduce the situation described in this ticket in a recent and supported software version, then please follow https://wiki.gnome.org/GettingInTouch/BugReportingGuidelines and create a new bug report at https://gitlab.gnome.org/GNOME/gnome-control-center/-/issues/ Thank you for your understanding and your help.