User properties/ privileges in AppleScript
-
20-09-2019 - |
Question
I want to write an applescript program that first checks to see if the user has Admin privileges, and if it doesn't then requesting a re-log-in or something.
Eventually the script is going to need to do a sudo chmod of a folder I just created... I can do that with a do script and a with Administrator Priviledges.
However I haven't figured out how to either request admin privs for an applescript command, or even just check if the user HAS admin privs.
Anyone know? or at least point me at a GOOD applescript ref? (Apple.com reference is not helping me)
thanks.
Solution
A solution from the Apple forum:
if ("80" is not in (do shell script "id -G")) then
Error....
seems to do the trick. It's hard to read, and as Philip Regan said, I'm doing it via the command line, but it seems to give me the protection that I need...
OTHER TIPS
Just use the with administrator privileges
. If a user doesn't have admin privileges, Applescript will prompt them for name and password. Use a try ... on error
block in case the user cancels, enters the wrong password or just plain doesn't have admin rights.
If you really want to know if the current user is an administrator, check that the user is in the admin group:
on amIAdmin()
set prevDelims to AppleScript's text item delimiters
set AppleScript's text item delimiters to " "
set groups to do shell script "id -G -n"
set groupList to text items of groups
set isAdmin to "admin" is in groupList
set AppleScript's text item delimiters to prevDelims
return isAdmin
end isAdmin
amIAdmin()
Here's another alternative solution which no one mentioned yet.
The dscl command allows you to perform a variety of Directory Service tasks
and one of them is the ability to look up a user's account type.
The command: dscl . read /Groups/admin GroupMembership
will list all admin
accounts on OS X.
So if you wanted to incorporate that into an AppleScript you could do the following:
set userName to "whatever username you wanted to check"
set readAdminGroup to do shell script "dscl . read /Groups/admin GroupMembership"
set AppleScript's text item delimiters to " "
set adminNames to text items of readAdminGroup
--loop through Admin Group to check if username exists
repeat with i in adminNames
if adminNames does not contain userName then
set isAdmin to false
else
set isAdmin to true
end if
end repeat
return isAdmin
Once you find out whether the variable isAdmin is true or false you can then
perform a variety of functions. Also, if the script was being deployed or sent through ARD you could set the userName variable (the first line in the above script) to check for the current user with a whoami command. So the first line would then look like this:
set userName to do shell script "whoami"
I'm a little annoyed that System Events doesn't have a property in the user object for this, but the id and dscl based queries seem the best bet. For readability I use:
set imadmin to " admin " is in (do shell script "groups")
Note the spaces around admin. This prevents it form being mixed up with groups like lpadmin.
Via MacScripter.net this should be a start: Managing Permissions (page 2 of 2)