I’m implementing a custom Authorization right with the following rule:
<key>authenticate-user</key>
<true/>
<key>allow-root</key>
<true/>
<key>class</key>
<string>user</string>
<key>group</key>
<string>admin</string>
The currently logged-in user is a standard user, and I’ve created a hidden admin account, e.g. _hiddenadmin, which has UID≠0 but belongs to the admin group.
From my Authorization Plug-in, I would like to programmatically satisfy this right using _hiddenadmin’s credentials, even though _hiddenadmin is not the logged-in user.
My question:
Is there a way to programmatically satisfy an authenticate-user right from an Authorization Plug-in using credentials of another (non-session) user?
Thanks for the clarification.
Can a plug-in participating in a rule chain short-circuit or fulfill an authenticate-user condition on behalf of the system?
No.
I was originally confused by your question because I thought that security credentials might be in play (see QA1277 Security Credentials). However, that’s only relevant if you complete the evaluation, and you’re asking about the behaviour in the middle of the custom.test
evaluation. In that context your mechanism, running in the context of custom.test.plugin
, has no control over the user targeted by custom.test.authenticate
.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"