User properties/ privileges in AppleScript

Question

I want to write an applescript program that first checks to see if the user has Admin privileges, and if it doesn't then requesting a re-log-in or something.

Eventually the script is going to need to do a sudo chmod of a folder I just created... I can do that with a do script and a with Administrator Priviledges.

However I haven't figured out how to either request admin privs for an applescript command, or even just check if the user HAS admin privs.

Anyone know? or at least point me at a GOOD applescript ref? (Apple.com reference is not helping me)

thanks.

Answer 1

A solution from the Apple forum:

if ("80" is not in (do shell script "id -G")) then
   Error....

seems to do the trick. It's hard to read, and as Philip Regan said, I'm doing it via the command line, but it seems to give me the protection that I need...

Answer 2

Just use the with administrator privileges. If a user doesn't have admin privileges, Applescript will prompt them for name and password. Use a try ... on error block in case the user cancels, enters the wrong password or just plain doesn't have admin rights.

If you really want to know if the current user is an administrator, check that the user is in the admin group:

on amIAdmin()
    set prevDelims to AppleScript's text item delimiters
    set AppleScript's text item delimiters to " "
    set groups to do shell script "id -G -n"
    set groupList to text items of groups
    set isAdmin to "admin" is in groupList
    set AppleScript's text item delimiters to prevDelims
    return isAdmin
end isAdmin

amIAdmin()

Answer 3

Here's another alternative solution which no one mentioned yet.

The dscl command allows you to perform a variety of Directory Service tasks
and one of them is the ability to look up a user's account type.

The command: dscl . read /Groups/admin GroupMembership will list all admin
accounts on OS X.

So if you wanted to incorporate that into an AppleScript you could do the following:

set userName to "whatever username you wanted to check"
set readAdminGroup to do shell script "dscl . read /Groups/admin GroupMembership"
set AppleScript's text item delimiters to " "
set adminNames to text items of readAdminGroup

--loop through Admin Group to check if username exists
repeat with i in adminNames
 if adminNames does not contain userName then
  set isAdmin to false
 else
  set isAdmin to true
 end if
end repeat

return isAdmin 

Once you find out whether the variable isAdmin is true or false you can then
perform a variety of functions. Also, if the script was being deployed or sent through ARD you could set the userName variable (the first line in the above script) to check for the current user with a whoami command. So the first line would then look like this:

set userName to do shell script "whoami"

Answer 4

I'm a little annoyed that System Events doesn't have a property in the user object for this, but the id and dscl based queries seem the best bet. For readability I use:

set imadmin to " admin " is in (do shell script "groups")

Note the spaces around admin. This prevents it form being mixed up with groups like lpadmin.

Answer 5

Via MacScripter.net this should be a start: Managing Permissions (page 2 of 2)