trunk/patches/gnome-panel-07-restrict-app-launching.diff

/jds/bin/diff -uprN gnome-panel-2.27.91.old/gnome-panel/panel-addto.c gnome-panel-2.27.91/gnome-panel/panel-addto.c
--- gnome-panel-2.27.91.old/gnome-panel/panel-addto.c	2009-08-26 17:27:48.018970000 +0100
+++ gnome-panel-2.27.91/gnome-panel/panel-addto.c	2009-08-26 17:33:56.113982000 +0100
@@ -571,9 +571,10 @@ panel_addto_make_applet_model (PanelAddt
 						dialog, NULL);
 }

-static void panel_addto_make_application_list (GSList             **parent_list,
+static gint panel_addto_make_application_list (GSList             **parent_list,
 					       GMenuTreeDirectory  *directory,
 					       const char          *filename);
+static void panel_addto_dialog_free_item_info (PanelAddtoItemInfo *item_info);

 static void
 panel_addto_prepend_directory (GSList             **parent_list,
@@ -581,6 +582,7 @@ panel_addto_prepend_directory (GSList
 			       const char          *filename)
 {
 	PanelAddtoAppList *data;
+    gint entries_added = 0;

 	data = g_new0 (PanelAddtoAppList, 1);

@@ -600,9 +602,16 @@ panel_addto_prepend_directory (GSList
 	 * So the iid is built when we select the row.
 	 */

-	*parent_list = g_slist_prepend (*parent_list, data);
-
-	panel_addto_make_application_list (&data->children, directory, filename);
+	entries_added = panel_addto_make_application_list (&data->children, directory, filename);
+	if (entries_added > 0) {
+		/*Only prepend if there are entries */
+		*parent_list = g_slist_prepend (*parent_list, data);
+	}
+	else {
+		/* Free data as not being appended */
+		panel_addto_dialog_free_item_info (&data->item_info);
+		g_free (data);
+	}
 }

 static void
@@ -624,12 +633,13 @@ panel_addto_prepend_entry (GSList
 	*parent_list = g_slist_prepend (*parent_list, data);
 }

-static void
+static gint
 panel_addto_prepend_alias (GSList         **parent_list,
 			   GMenuTreeAlias  *alias,
 			   const char      *filename)
 {
 	GMenuTreeItem *aliased_item;
+    gint entry = 0;

 	aliased_item = gmenu_tree_alias_get_item (alias);

@@ -641,9 +651,14 @@ panel_addto_prepend_alias (GSList
 		break;

 	case GMENU_TREE_ITEM_ENTRY:
-		panel_addto_prepend_entry (parent_list,
-					   GMENU_TREE_ENTRY (aliased_item),
-					   filename);
+
+        if (panel_lockdown_is_allowed_menu_entry
+                                            (GMENU_TREE_ENTRY (aliased_item))) {
+		    panel_addto_prepend_entry (parent_list,
+					    GMENU_TREE_ENTRY (aliased_item),
+					    filename);
+            entry = 1;
+        }
 		break;

 	default:
@@ -651,15 +666,17 @@ panel_addto_prepend_alias (GSList
 	}

 	gmenu_tree_item_unref (aliased_item);
+    return entry;
 }

-static void
+static gint
 panel_addto_make_application_list (GSList             **parent_list,
 				   GMenuTreeDirectory  *directory,
 				   const char          *filename)
 {
 	GSList *items;
 	GSList *l;
+    gint number_entries = 0;

 	items = gmenu_tree_directory_get_contents (directory);

@@ -670,11 +687,15 @@ panel_addto_make_application_list (GSLis
 			break;

 		case GMENU_TREE_ITEM_ENTRY:
-			panel_addto_prepend_entry (parent_list, l->data, filename);
+            if (panel_lockdown_is_allowed_menu_entry (l->data)) {
+			    panel_addto_prepend_entry (parent_list, l->data, filename);
+                number_entries = number_entries + 1;
+            }
 			break;

 		case GMENU_TREE_ITEM_ALIAS:
-			panel_addto_prepend_alias (parent_list, l->data, filename);
+			number_entries = number_entries +
+                    panel_addto_prepend_alias (parent_list, l->data, filename);
 			break;

 		default:
@@ -687,6 +708,8 @@ panel_addto_make_application_list (GSLis
 	g_slist_free (items);

 	*parent_list = g_slist_reverse (*parent_list);
+
+    return number_entries;
 }

 static void
/jds/bin/diff -uprN gnome-panel-2.27.91.old/gnome-panel/panel-lockdown.h gnome-panel-2.27.91/gnome-panel/panel-lockdown.h
--- gnome-panel-2.27.91.old/gnome-panel/panel-lockdown.h	2009-08-26 17:27:47.990078000 +0100
+++ gnome-panel-2.27.91/gnome-panel/panel-lockdown.h	2009-08-26 17:34:10.921311000 +0100
@@ -25,8 +25,11 @@
 #ifndef __PANEL_LOCKDOWN_H__
 #define __PANEL_LOCKDOWN_H__

+#include <libgnome/gnome-desktop-item.h>
 #include <glib.h>
 #include <glib-object.h>
+#include <gmenu-tree.h>
+#include "launcher.h"

 G_BEGIN_DECLS

@@ -39,13 +42,56 @@ gboolean panel_lockdown_get_disable_lock
 gboolean panel_lockdown_get_disable_log_out      (void);
 gboolean panel_lockdown_get_disable_force_quit   (void);

+gboolean panel_lockdown_get_restrict_application_launching (void);
+GSList  *panel_lockdown_get_allowed_applications (void);
+
 gboolean panel_lockdown_is_applet_disabled (const char *iid);
+gboolean panel_lockdown_is_allowed_application (const gchar *app);

 void panel_lockdown_notify_add    (GCallback callback_func,
                                    gpointer  user_data);
 void panel_lockdown_notify_remove (GCallback callback_func,
                                    gpointer  user_data);

+gchar *panel_lockdown_get_stripped_exec               (const gchar *full_exec);
+gchar *panel_lockdown_get_exec_from_ditem             (GnomeDesktopItem *ditem);
+gboolean panel_lockdown_ditem_in_allowed_applications (GnomeDesktopItem *ditem);
+gboolean panel_lockdown_is_disabled_command_line      (const gchar *term_cmd);
+
+/**
+  * Returns true if the ditem corresponds to an application whose use has been
+  * disallowed by the administrator (tests whether restrictions are in place
+  * and if the ditem matches the allowed applications list).
+  */
+gboolean panel_lockdown_is_forbidden_app              (GnomeDesktopItem *ditem);
+/**
+  * Returns true if the ditem corresponds to either an application whose use
+  * has been disallowed by the administrator (same as previous function) or
+  * a shell when command line use has been restricted.
+  */
+gboolean panel_lockdown_is_forbidden_ditem             (GnomeDesktopItem *ditem);
+/**
+  * Returns true if the command line corresponds to an application whose use
+  * has been disallowed by the administrator.
+  */
+gboolean panel_lockdown_is_forbidden_command           (const gchar *command);
+
+/**
+  * Returns true if the menu entry corresponds to an application whose use
+  * has been allowed by the administrator.
+  */
+gboolean panel_lockdown_is_allowed_menu_entry          (GMenuTreeEntry *entry);
+
+/**
+  * Returns true if the launcher application has been disallowed by the administrator.
+  */
+gboolean panel_lockdown_is_forbidden_launcher          (Launcher *launcher);
+
+/**
+  * Returns true if the key_file application has been disallowed by the administrator.
+  */
+gboolean panel_lockdown_is_forbidden_key_file (GKeyFile *key_file);
+
 G_END_DECLS

 #endif /* __PANEL_LOCKDOWN_H__ */
/jds/bin/diff -uprN gnome-panel-2.27.91.old/gnome-panel/panel-menu-items.h gnome-panel-2.27.91/gnome-panel/panel-menu-items.h
--- gnome-panel-2.27.91.old/gnome-panel/panel-menu-items.h	2009-08-26 17:27:47.989560000 +0100
+++ gnome-panel-2.27.91/gnome-panel/panel-menu-items.h	2009-08-26 17:34:22.060144000 +0100
@@ -90,6 +90,8 @@ void panel_desktop_menu_item_set_panel (
 void panel_menu_items_append_lock_logout (GtkWidget *menu);
 void panel_menu_item_activate_desktop_file (GtkWidget  *menuitem,
 					    const char *path);
+void panel_place_menu_item_recreate_menu (GtkWidget *widget);
+void panel_desktop_menu_item_recreate_menu (PanelDesktopMenuItem *desktop_item);

 G_END_DECLS

/jds/bin/diff -uprN gnome-panel-2.27.91.old/gnome-panel/Makefile.am gnome-panel-2.27.91/gnome-panel/Makefile.am
--- gnome-panel-2.27.91.old/gnome-panel/Makefile.am	2009-08-26 17:27:47.958497000 +0100
+++ gnome-panel-2.27.91/gnome-panel/Makefile.am	2009-08-26 17:34:33.698263000 +0100
@@ -165,6 +165,8 @@ gnome_desktop_item_edit_SOURCES = \
 	panel-ditem-editor.c	  \
 	panel-marshal.c		  \
 	panel-util.c		  \
+	panel-lockdown.c	\
+	panel-gconf.c		\
 	xstuff.c

 gnome_desktop_item_edit_LDFLAGS = -export-dynamic
/jds/bin/diff -uprN gnome-panel-2.27.91.old/gnome-panel/panel-action-button.c gnome-panel-2.27.91/gnome-panel/panel-action-button.c
--- gnome-panel-2.27.91.old/gnome-panel/panel-action-button.c	2009-08-26 17:27:47.940413000 +0100
+++ gnome-panel-2.27.91/gnome-panel/panel-action-button.c	2009-08-26 17:40:26.368224000 +0100
@@ -207,8 +207,11 @@ panel_action_shutdown_reboot_is_disabled
 static void
 panel_action_run_program (GtkWidget *widget)
 {
-	panel_run_dialog_present (gtk_widget_get_screen (widget),
-				  gtk_get_current_event_time ());
+    if (!panel_lockdown_get_restrict_application_launching () &&
+        !panel_lockdown_get_disable_command_line ()) {
+	    panel_run_dialog_present (gtk_widget_get_screen (widget),
+				    gtk_get_current_event_time ());
+    }
 }

 /* Search For Files
/jds/bin/diff -uprN gnome-panel-2.27.91.old/gnome-panel/panel-menu-bar.c gnome-panel-2.27.91/gnome-panel/panel-menu-bar.c
--- gnome-panel-2.27.91.old/gnome-panel/panel-menu-bar.c	2009-08-26 17:27:47.961196000 +0100
+++ gnome-panel-2.27.91/gnome-panel/panel-menu-bar.c	2009-08-26 17:35:05.241962000 +0100
@@ -69,6 +69,8 @@ enum {
 	PROP_ORIENTATION,
 };

+static GObjectClass *parent_class = NULL;
+
 static void panel_menu_bar_update_text_gravity (PanelMenuBar *menubar);

 static gboolean
@@ -132,6 +132,32 @@ panel_menu_bar_setup_tooltip (PanelMenuB
 }

 static void
+panel_menu_bar_parent_set (GtkWidget *widget,
+                          GtkWidget *previous_parent);
+
+static void
+panel_menubar_recreate_menus (PanelMenuBar *menubar)
+{
+       if (menubar->priv->applications_menu != NULL) {
+               while (GTK_MENU_SHELL (menubar->priv->applications_menu)->children) {
+                       gtk_widget_destroy (
+                               GTK_MENU_SHELL (menubar->priv->applications_menu)->children->data);
+               }
+               menubar->priv->applications_menu =
+                                       create_applications_menu ("applications.menu", NULL, TRUE);
+               gtk_menu_item_set_submenu
+                               (GTK_MENU_ITEM (menubar->priv->applications_item),
+                               menubar->priv->applications_menu);
+
+               panel_place_menu_item_recreate_menu(menubar->priv->places_item);
+               panel_desktop_menu_item_recreate_menu(
+                                               (PanelDesktopMenuItem *)menubar->priv->desktop_item);
+
+               panel_menu_bar_parent_set ((GtkWidget *)menubar, NULL);
+       }
+}
+
+static void
 panel_menu_bar_init (PanelMenuBar *menubar)
 {
 	GtkWidget *image;
@@ -164,6 +190,8 @@ panel_menu_bar_init (PanelMenuBar *menub
 			       menubar->priv->desktop_item);

 	panel_menu_bar_setup_tooltip (menubar);
+    panel_lockdown_notify_add (G_CALLBACK (panel_menubar_recreate_menus),
+                               menubar);

 	panel_menu_bar_update_text_gravity (menubar);
 	g_signal_connect (menubar, "screen-changed",
@@ -172,6 +236,15 @@ panel_menu_bar_init (PanelMenuBar *menub
 }

 static void
+panel_menu_bar_finalize (GObject *object)
+{
+	panel_lockdown_notify_remove (G_CALLBACK (panel_menubar_recreate_menus),
+                               object);
+
+	parent_class->finalize (object);
+}
+
+static void
 panel_menu_bar_get_property (GObject	*object,
 			     guint	 prop_id,
 			     GValue	*value,
@@ -274,10 +347,13 @@ panel_menu_bar_class_init (PanelMenuBarC

 	gobject_class->get_property = panel_menu_bar_get_property;
         gobject_class->set_property = panel_menu_bar_set_property;
+	gobject_class->finalize = panel_menu_bar_finalize;

 	widget_class->parent_set = panel_menu_bar_parent_set;
 	widget_class->size_allocate = panel_menu_bar_size_allocate;

+	parent_class = g_type_class_peek_parent (klass);
+
 	g_type_class_add_private (klass, sizeof (PanelMenuBarPrivate));

 	g_object_class_install_property (
/jds/bin/diff -uprN gnome-panel-2.27.91.old/gnome-panel/gnome-desktop-item-edit.c gnome-panel-2.27.91/gnome-panel/gnome-desktop-item-edit.c
--- gnome-panel-2.27.91.old/gnome-panel/gnome-desktop-item-edit.c	2009-08-26 17:27:48.019780000 +0100
+++ gnome-panel-2.27.91/gnome-panel/gnome-desktop-item-edit.c	2009-08-26 17:41:37.134321000 +0100
@@ -21,7 +21,6 @@ GConfClient *panel_gconf_get_client (voi
 #include "panel-config-global.h"
 gboolean panel_global_config_get_tooltips_enabled (void) { return FALSE; }
 #include "panel-lockdown.h"
-gboolean panel_lockdown_get_disable_lock_screen (void) { return FALSE; }

 static int dialogs = 0;
 static gboolean create_new = FALSE;
/jds/bin/diff -uprN gnome-panel-2.27.91.old/gnome-panel/panel-lockdown.c gnome-panel-2.27.91/gnome-panel/panel-lockdown.c
--- gnome-panel-2.27.91.old/gnome-panel/panel-lockdown.c	2009-08-26 17:27:47.989262000 +0100
+++ gnome-panel-2.27.91/gnome-panel/panel-lockdown.c	2009-08-26 17:50:44.869236000 +0100
@@ -28,13 +28,16 @@

 #include <string.h>
 #include "panel-gconf.h"
+#include <libpanel-util/panel-keyfile.h>

-#define N_LISTENERS 6
+#define N_LISTENERS 8

 #define PANEL_GLOBAL_LOCKDOWN_DIR    "/apps/panel/global"
 #define DESKTOP_GNOME_LOCKDOWN_DIR   "/desktop/gnome/lockdown"
 #define PANEL_GLOBAL_LOCKED_DOWN_KEY PANEL_GLOBAL_LOCKDOWN_DIR  "/locked_down"
 #define DISABLE_COMMAND_LINE_KEY     DESKTOP_GNOME_LOCKDOWN_DIR "/disable_command_line"
+#define RESTRICT_APPLICATION_LAUNCHING_KEY     DESKTOP_GNOME_LOCKDOWN_DIR "/restrict_application_launching"
+#define ALLOWED_APPLICATIONS_KEY     DESKTOP_GNOME_LOCKDOWN_DIR "/allowed_applications"
 #define DISABLE_LOCK_SCREEN_KEY      DESKTOP_GNOME_LOCKDOWN_DIR  "/disable_lock_screen"
 #define DISABLE_LOG_OUT_KEY          PANEL_GLOBAL_LOCKDOWN_DIR  "/disable_log_out"
 #define DISABLE_FORCE_QUIT_KEY       PANEL_GLOBAL_LOCKDOWN_DIR  "/disable_force_quit"
@@ -48,6 +51,9 @@ typedef struct {
         guint   disable_lock_screen : 1;
         guint   disable_log_out : 1;
         guint   disable_force_quit : 1;
+        guint   restrict_application_launching : 1;
+
+        GSList *allowed_applications;

         GSList *disabled_applets;

@@ -56,6 +62,12 @@ typedef struct {
         GSList *closures;
 } PanelLockdown;

+static const gchar *command_line_execs[] = {
+    "/usr/bin/gnome-terminal",
+    "/usr/bin/xterm"
+};
+#define NUMBER_COMMAND_LINE_EXECS   2
+
 static PanelLockdown panel_lockdown = { 0, };


@@ -63,9 +75,17 @@ static inline void
 panel_lockdown_invoke_closures (PanelLockdown *lockdown)
 {
         GSList *l;
+        GSList *copy = NULL;

-        for (l = lockdown->closures; l; l = l->next)
+		copy = g_slist_copy (lockdown->closures);
+        for (l = copy; l != NULL; l = l->next) {
+			if (g_slist_find (lockdown->closures, l->data)) {
+				g_closure_ref (l->data);
                 g_closure_invoke (l->data, NULL, 0, NULL, NULL);
+				g_closure_unref (l->data);
+			}
+		}
+        g_slist_free (copy);
 }

 static void
@@ -166,6 +186,50 @@ disabled_applets_notify (GConfClient   *
         panel_lockdown_invoke_closures (lockdown);
 }

+static void
+restrict_application_launching_notify (GConfClient   *client,
+                                       guint          cnxn_id,
+                                       GConfEntry    *entry,
+                                       PanelLockdown *lockdown)
+{
+        if (!entry->value || entry->value->type != GCONF_VALUE_BOOL)
+                return;
+
+        lockdown->restrict_application_launching =
+                        gconf_value_get_bool (entry->value);
+
+        panel_lockdown_invoke_closures (lockdown);
+}
+
+
+static void
+allowed_applications_notify (GConfClient   *client,
+                             guint          cnxn_id,
+                             GConfEntry    *entry,
+                             PanelLockdown *lockdown)
+{
+        GSList *l;
+
+        if (!entry->value || entry->value->type != GCONF_VALUE_LIST ||
+            gconf_value_get_list_type (entry->value) != GCONF_VALUE_STRING)
+                return;
+
+        for (l = lockdown->allowed_applications; l; l = l->next)
+                g_free (l->data);
+        g_slist_free (lockdown->allowed_applications);
+        lockdown->allowed_applications = NULL;
+
+        for (l = gconf_value_get_list (entry->value); l; l = l->next) {
+                const char *iid = gconf_value_get_string (l->data);
+
+                lockdown->allowed_applications =
+                g_slist_prepend (lockdown->allowed_applications,
+                                 g_strdup (iid));
+        }
+
+        panel_lockdown_invoke_closures (lockdown);
+}
+
 static gboolean
 panel_lockdown_load_bool (PanelLockdown         *lockdown,
                           GConfClient           *client,
@@ -215,6 +279,28 @@ panel_lockdown_load_disabled_applets (Pa
         return retval;
 }

+static GSList *
+panel_lockdown_load_allowed_applications (PanelLockdown *lockdown,
+                                          GConfClient   *client,
+                                          int            listener)
+{
+        GSList *retval;
+
+        retval = gconf_client_get_list (client,
+                                        ALLOWED_APPLICATIONS_KEY,
+                                        GCONF_VALUE_STRING,
+                                        NULL);
+
+        lockdown->listeners [listener] =
+        gconf_client_notify_add (client,
+                                 ALLOWED_APPLICATIONS_KEY,
+                                 (GConfClientNotifyFunc) allowed_applications_notify,
+                                 lockdown,
+                                 NULL, NULL);
+
+        return retval;
+}
+
 void
 panel_lockdown_init (void)
 {
@@ -273,6 +359,18 @@ panel_lockdown_init (void)
                                                       client,
                                                       i++);

+        panel_lockdown.restrict_application_launching =
+                panel_lockdown_load_bool (&panel_lockdown,
+                                          client,
+                                          RESTRICT_APPLICATION_LAUNCHING_KEY,
+                                          (GConfClientNotifyFunc) restrict_application_launching_notify,
+                                          i++);
+
+        panel_lockdown.allowed_applications =
+                panel_lockdown_load_allowed_applications (&panel_lockdown,
+                                                          client,
+                                                          i++);
+
         g_assert (i == N_LISTENERS);

         panel_lockdown.initialized = TRUE;
@@ -294,6 +392,13 @@ panel_lockdown_finalize (void)
         g_slist_free (panel_lockdown.disabled_applets);
         panel_lockdown.disabled_applets = NULL;

+        for (l = panel_lockdown.allowed_applications; l; l = l->next) {
+                g_free (l->data);
+        }
+
+        g_slist_free (panel_lockdown.allowed_applications);
+        panel_lockdown.allowed_applications = NULL;
+
         for (i = 0; i < N_LISTENERS; i++) {
                 if (panel_lockdown.listeners [i])
                         gconf_client_notify_remove (client,
@@ -371,6 +476,36 @@ panel_lockdown_is_applet_disabled (const
         return FALSE;
 }

+gboolean
+panel_lockdown_get_restrict_application_launching (void)
+{
+        g_assert (panel_lockdown.initialized != FALSE);
+
+        return panel_lockdown.restrict_application_launching;
+}
+
+GSList *
+panel_lockdown_get_allowed_applications (void)
+{
+        g_assert (panel_lockdown.initialized == TRUE);
+
+        return panel_lockdown.allowed_applications;
+}
+
+gboolean
+panel_lockdown_is_allowed_application (const gchar *app)
+{
+        GSList *l;
+
+        g_assert (panel_lockdown.initialized != FALSE);
+
+        for (l = panel_lockdown.allowed_applications; l; l = l->next)
+                if (!strcmp (l->data, app))
+                        return TRUE;
+
+        return FALSE;
+}
+
 static GClosure *
 panel_lockdown_notify_find (GSList    *closures,
                             GCallback  callback_func,
@@ -440,3 +575,161 @@ panel_lockdown_notify_remove (GCallback

         g_closure_unref (closure);
 }
+
+gchar *
+panel_lockdown_get_stripped_exec (const gchar *full_exec)
+{
+        gchar *str1, *str2, *retval, *p;
+
+        str1 = g_strdup (full_exec);
+        p = strtok (str1, " ");
+
+        if (p != NULL)
+               str2 = g_strdup (p);
+        else
+                str2 = g_strdup (full_exec);
+
+        g_free (str1);
+
+        if (g_path_is_absolute (str2))
+                retval = g_strdup (str2);
+        else
+                retval = g_strdup (g_find_program_in_path ((const gchar *)str2));
+        g_free (str2);
+
+        return retval;
+}
+
+gchar *
+panel_lockdown_get_exec_from_ditem (GnomeDesktopItem *ditem)
+{
+        const char *full_exec;
+        gchar *retval = NULL;
+
+        full_exec = gnome_desktop_item_get_string (ditem,
+                                                   GNOME_DESKTOP_ITEM_EXEC);
+
+        if (full_exec != NULL)
+                retval = panel_lockdown_get_stripped_exec (full_exec);
+
+        return retval;
+}
+
+gboolean
+panel_lockdown_ditem_in_allowed_applications (GnomeDesktopItem *ditem)
+{
+        gboolean retval = FALSE;
+        gchar *stripped_exec;
+
+        stripped_exec = panel_lockdown_get_exec_from_ditem (ditem);
+
+        if (stripped_exec != NULL) {
+                retval = panel_lockdown_is_allowed_application (stripped_exec);
+                g_free (stripped_exec);
+        }
+
+        return retval;
+}
+
+gboolean
+panel_lockdown_is_disabled_command_line (const gchar *term_cmd)
+{
+        int i = 0;
+        gboolean retval = FALSE;
+
+        for (i=0; i<NUMBER_COMMAND_LINE_EXECS; i++) {
+                if (!strcmp (command_line_execs [i], term_cmd)) {
+                        retval = TRUE;
+                        break;
+                }
+        }
+
+        return retval;
+}
+
+gboolean
+panel_lockdown_is_forbidden_app(GnomeDesktopItem *ditem) {
+        g_return_val_if_fail (ditem != NULL, TRUE) ;
+        return panel_lockdown_get_restrict_application_launching () &&
+                !panel_lockdown_ditem_in_allowed_applications (ditem) ;
+}
+
+gboolean
+panel_lockdown_is_forbidden_ditem(GnomeDesktopItem *ditem)
+{
+        g_return_val_if_fail (ditem != NULL, TRUE) ;
+        if (panel_lockdown_is_forbidden_app (ditem)) { return TRUE ; }
+        if (panel_lockdown_get_disable_command_line ()) {
+                char *stripped = panel_lockdown_get_exec_from_ditem (ditem) ;
+
+                if (stripped != NULL) {
+                        gboolean retCode =
+                                panel_lockdown_is_disabled_command_line (stripped) ;
+
+                        g_free (stripped) ;
+                        return retCode ;
+                }
+        }
+        return FALSE ;
+}
+
+gboolean
+panel_lockdown_is_forbidden_command (const char *command)
+{
+        g_return_val_if_fail (command != NULL, TRUE) ;
+        return panel_lockdown_get_restrict_application_launching () &&
+                !panel_lockdown_is_allowed_application (command) ;
+}
+
+gboolean
+panel_lockdown_is_allowed_menu_entry (GMenuTreeEntry *entry)
+{
+        const char *path;
+        GnomeDesktopItem *item = NULL ;
+
+        if (!panel_lockdown_get_restrict_application_launching ())
+                return TRUE;
+
+        path = gmenu_tree_entry_get_desktop_file_path (entry) ;
+
+        if (path != NULL) {
+                item = gnome_desktop_item_new_from_file (path, 0, NULL) ;
+                if (item != NULL) {
+                        gboolean retCode = !panel_lockdown_is_forbidden_ditem (item) ;
+
+                        gnome_desktop_item_unref (item) ;
+                        return retCode ;
+                }
+        }
+        return TRUE ;
+}
+
+gboolean
+panel_lockdown_is_forbidden_launcher (Launcher *launcher)
+{
+	return (panel_lockdown_is_forbidden_key_file(launcher->key_file));
+}
+
+gboolean
+panel_lockdown_is_forbidden_key_file (GKeyFile *key_file)
+{
+	gchar *full_exec;		/* Executable including possible arguments */
+	gchar *stripped_exec;	/* Executable with arguments stripped away */
+	gboolean retval = FALSE;
+
+    /* If restrict_application_launching not set on return TRUE */
+    if (!panel_lockdown_get_restrict_application_launching ()) {
+        return retval;
+    }
+
+	if (key_file != NULL)
+	{
+		full_exec = panel_key_file_get_string (key_file, "Exec");
+        if (full_exec != NULL) {
+        	stripped_exec = panel_lockdown_get_stripped_exec (full_exec);
+		retval = panel_lockdown_is_forbidden_command (stripped_exec);
+                g_free (stripped_exec);
+		}
+	}
+	return retval;
+}
/jds/bin/diff -uprN gnome-panel-2.27.91.old/gnome-panel/panel-menu-items.c gnome-panel-2.27.91/gnome-panel/panel-menu-items.c
--- gnome-panel-2.27.91.old/gnome-panel/panel-menu-items.c	2009-08-26 17:27:47.973492000 +0100
+++ gnome-panel-2.27.91/gnome-panel/panel-menu-items.c	2009-08-26 17:36:15.979872000 +0100
@@ -157,6 +157,21 @@ panel_menu_items_append_from_desktop (Gt
 	char      *icon;
 	char      *name;
 	char      *comment;
+	GnomeDesktopItem *ditem;
+
+	/* If restricted application, then don't append */
+	if (g_path_is_absolute (path))
+		ditem = gnome_desktop_item_new_from_file (path, 0, NULL);
+	else
+		ditem = gnome_desktop_item_new_from_basename (path, 0, NULL);
+	if (ditem != NULL && panel_lockdown_is_forbidden_ditem (ditem)) {
+		gnome_desktop_item_unref (ditem);
+		return;
+	}
+
+	if (ditem != NULL) {
+		gnome_desktop_item_unref (ditem);
+	}

 	path_freeme = NULL;

@@ -1073,7 +1088,7 @@ panel_place_menu_item_create_menu (Panel
 	return places_menu;
 }

-static void
+void
 panel_place_menu_item_recreate_menu (GtkWidget *widget)
 {
 	PanelPlaceMenuItem *place_item;
@@ -1181,7 +1196,7 @@ panel_desktop_menu_item_create_menu (Pan
 	return desktop_menu;
 }

-static void
+void
 panel_desktop_menu_item_recreate_menu (PanelDesktopMenuItem *desktop_item)
 {
 	if (desktop_item->priv->menu) {
@@ -1548,8 +1563,11 @@ panel_menu_items_append_lock_logout (Gtk
 		tooltip = NULL;
 	}

-	item = panel_menu_items_create_action_item_full (PANEL_ACTION_LOGOUT,
-							 label, tooltip);
+    if (!panel_lockdown_get_disable_log_out ()) {
+	    item = panel_menu_items_create_action_item_full (PANEL_ACTION_LOGOUT,
+							    label, tooltip);
+    }
+
 	g_free (label);
 	g_free (tooltip);

@@ -1575,5 +1593,21 @@ void
 panel_menu_item_activate_desktop_file (GtkWidget  *menuitem,
 				       const char *path)
 {
+	GnomeDesktopItem *ditem;
+
+	if (g_path_is_absolute (path))
+		ditem = gnome_desktop_item_new_from_file (path, 0, NULL);
+	else
+		ditem = gnome_desktop_item_new_from_basename (path, 0, NULL);
+
+	if (ditem != NULL && panel_lockdown_is_forbidden_ditem (ditem)) {
+		gnome_desktop_item_unref (ditem);
+		return;		/* Don't launch as it's a forbidden desktop file */
+	}
+
+	if (ditem != NULL) {
+		gnome_desktop_item_unref (ditem);
+	}
+
 	panel_launch_desktop_file (path, menuitem_to_screen (menuitem), NULL);
 }
/jds/bin/diff -uprN gnome-panel-2.27.91.old/gnome-panel/launcher.c gnome-panel-2.27.91/gnome-panel/launcher.c
--- gnome-panel-2.27.91.old/gnome-panel/launcher.c	2009-08-26 17:27:47.942300000 +0100
+++ gnome-panel-2.27.91/gnome-panel/launcher.c	2009-08-26 17:56:11.860620000 +0100
@@ -105,6 +105,9 @@ launch_url (Launcher *launcher)
 	g_return_if_fail (launcher != NULL);
 	g_return_if_fail (launcher->key_file != NULL);

+    if (panel_lockdown_is_forbidden_launcher (launcher))
+        return;
+
 	/* FIXME panel_ditem_launch() should be enough for this! */
 	url = panel_key_file_get_string (launcher->key_file, "URL");

@@ -136,6 +139,9 @@ launcher_launch (Launcher  *launcher,
 	g_return_if_fail (launcher != NULL);
 	g_return_if_fail (launcher->key_file != NULL);

+    if (panel_lockdown_is_forbidden_launcher (launcher))
+        return;
+
 	if (panel_global_config_get_enable_animations ())
 		xstuff_zoom_animate (widget,
 				     button_widget_get_pixbuf (BUTTON_WIDGET (widget)),
@@ -253,6 +259,8 @@ launcher_properties_destroy (Launcher *l
 		gtk_widget_destroy (dialog);
 }

+static void panel_recheck_launcher (Launcher *launcher);
+
 static void
 free_launcher (gpointer data)
 {
@@ -266,6 +274,8 @@ free_launcher (gpointer data)
 		g_free (launcher->location);
 	launcher->location = NULL;

+	panel_lockdown_notify_remove (G_CALLBACK (panel_recheck_launcher), launcher);
+
 	g_free (launcher);
 }

@@ -410,6 +416,19 @@ drag_data_get_cb (GtkWidget        *widg

 }

+static void
+panel_recheck_launcher (Launcher *launcher)
+{
+	if (!launcher || !launcher->button)
+		return;
+
+    if (panel_lockdown_is_forbidden_launcher (launcher)) {
+        gtk_widget_hide (launcher->button);
+    } else {
+	    gtk_widget_show (launcher->button);
+    }
+}
+
 static Launcher *
 create_launcher (const char *location)
 {
@@ -488,7 +507,11 @@ create_launcher (const char *location)
 					      FALSE,
 					      PANEL_ORIENTATION_TOP);

-	gtk_widget_show (launcher->button);
+    if (panel_lockdown_is_forbidden_launcher (launcher)) {
+        gtk_widget_hide (launcher->button);
+    } else {
+	    gtk_widget_show (launcher->button);
+    }

 	/*gtk_drag_dest_set (GTK_WIDGET (launcher->button),
 			   GTK_DEST_DEFAULT_ALL,
@@ -515,6 +538,8 @@ create_launcher (const char *location)
 					  G_CALLBACK (destroy_launcher),
 					  launcher);

+	panel_lockdown_notify_add (G_CALLBACK (panel_recheck_launcher), launcher);
+
 	return launcher;
 }

@@ -813,6 +838,12 @@ load_launcher_applet (const char       *
 	/* setup button according to ditem */
 	setup_button (launcher);

+    if (panel_lockdown_is_forbidden_launcher (launcher)) {
+        gtk_widget_hide (launcher->button);
+    } else {
+	    gtk_widget_show (launcher->button);
+    }
+
 	return launcher;
 }

@@ -901,6 +932,10 @@ ask_about_launcher (const char  *file,
 	if (file != NULL)
 		panel_key_file_set_string (key_file, "Exec", file);
 	panel_key_file_set_string (key_file, "Type", "Application");
+
+    if (panel_lockdown_is_forbidden_key_file (key_file))
+        return; /* Application being dragged is forbidden so just return */
+
 	panel_ditem_editor_sync_display (PANEL_DITEM_EDITOR (dialog));

 	panel_ditem_register_save_uri_func (PANEL_DITEM_EDITOR (dialog),
--- gnome-panel-2.27.92/gnome-panel/menu.c.ori	2009-09-09 10:13:23.778451017 +0100
+++ gnome-panel-2.27.92/gnome-panel/menu.c	2009-09-09 10:21:41.371983238 +0100
@@ -74,7 +74,8 @@
 static GSList *image_menu_items = NULL;

 static GtkWidget *populate_menu_from_directory (GtkWidget          *menu,
-						GMenuTreeDirectory *directory);
+						GMenuTreeDirectory *directory,
+                        gboolean           *is_hidden);

 static void panel_load_menu_image_deferred (GtkWidget   *image_menu_item,
 					    GtkIconSize  icon_size,
@@ -1272,7 +1273,8 @@
 }

 static void
-submenu_to_display (GtkWidget *menu)
+submenu_to_display (GtkWidget *menu,
+                    gboolean  *is_hidden)
 {
 	GMenuTree           *tree;
 	GMenuTreeDirectory  *directory;
@@ -1307,7 +1309,15 @@
 	}

 	if (directory)
-		populate_menu_from_directory (menu, directory);
+        { /* It's possible that is_hidden is NULL if we end up here from the show
+           signal, which could only happen for the top level menu. */
+        gboolean local_is_hidden = FALSE;
+
+		populate_menu_from_directory (menu, directory, &local_is_hidden);
+        if (is_hidden != NULL) {
+            *is_hidden = local_is_hidden;
+        }
+    }

 	append_callback = g_object_get_data (G_OBJECT (menu),
 					     "panel-menu-append-callback");
@@ -1321,10 +1331,11 @@
 submenu_to_display_in_idle (gpointer data)
 {
 	GtkWidget *menu = GTK_WIDGET (data);
+    gboolean is_hidden = FALSE;

 	g_object_set_data (G_OBJECT (menu), "panel-menu-idle-id", NULL);

-	submenu_to_display (menu);
+	submenu_to_display (menu, &is_hidden);

 	return FALSE;
 }
@@ -1419,19 +1430,25 @@
 static void
 create_submenu (GtkWidget          *menu,
 		GMenuTreeDirectory *directory,
-		GMenuTreeDirectory *alias_directory)
+		GMenuTreeDirectory *alias_directory,
+		gboolean           *is_hidden)
 {
 	GtkWidget *menuitem;
 	GtkWidget *submenu;
 	gboolean   force_categories_icon;

+	submenu = create_fake_menu (directory);
+	if (panel_lockdown_get_restrict_application_launching ()) {
+		submenu_to_display (submenu, is_hidden);
+	} else {
+		*is_hidden = FALSE;
+	}
+
 	if (alias_directory)
 		menuitem = create_submenu_entry (menu, alias_directory);
 	else
 		menuitem = create_submenu_entry (menu, directory);

-	submenu = create_fake_menu (directory);
-
 	gtk_menu_item_set_submenu (GTK_MENU_ITEM (menuitem), submenu);

 	/* Keep the infor that we force (or not) the icons to be visible */
@@ -1440,15 +1457,21 @@
 	g_object_set_data (G_OBJECT (submenu),
 			   "panel-menu-force-icon-for-categories",
 			   GINT_TO_POINTER (force_categories_icon));
+
+	if (*is_hidden) {
+		gtk_widget_hide (menuitem);
+	}
 }

 static void
 create_header (GtkWidget       *menu,
-	       GMenuTreeHeader *header)
+	       GMenuTreeHeader *header,
+	       gboolean *is_hidden)
 {
 	GMenuTreeDirectory *directory;
 	GtkWidget          *menuitem;

+	*is_hidden = FALSE;
 	directory = gmenu_tree_header_get_directory (header);
 	menuitem = create_submenu_entry (menu, directory);
 	gmenu_tree_item_unref (directory);
@@ -1465,10 +1488,12 @@
 static void
 create_menuitem (GtkWidget          *menu,
 		 GMenuTreeEntry     *entry,
-		 GMenuTreeDirectory *alias_directory)
+		 GMenuTreeDirectory *alias_directory,
+                                    gboolean *is_hidden)
 {
 	GtkWidget  *menuitem;

+        *is_hidden = FALSE;
 	menuitem = panel_image_menu_item_new ();

 	g_object_set_data_full (G_OBJECT (menuitem),
@@ -1545,12 +1570,18 @@
 	g_signal_connect (menuitem, "activate",
 			  G_CALLBACK (activate_app_def), entry);

-	gtk_widget_show (menuitem);
+    if (entry != NULL && !panel_lockdown_is_allowed_menu_entry (entry)) {
+        gtk_widget_hide (menuitem);
+        *is_hidden = TRUE;
+    } else {
+	    gtk_widget_show (menuitem);
+    }
 }

 static void
 create_menuitem_from_alias (GtkWidget      *menu,
-			    GMenuTreeAlias *alias)
+			    GMenuTreeAlias *alias,
+                gboolean *is_hidden)
 {
 	GMenuTreeItem *aliased_item;

@@ -1560,13 +1591,15 @@
 	case GMENU_TREE_ITEM_DIRECTORY:
 		create_submenu (menu,
 				GMENU_TREE_DIRECTORY (aliased_item),
-				gmenu_tree_alias_get_directory (alias));
+				gmenu_tree_alias_get_directory (alias),
+                is_hidden);
 		break;

 	case GMENU_TREE_ITEM_ENTRY:
 		create_menuitem (menu,
 				 GMENU_TREE_ENTRY (aliased_item),
-				 gmenu_tree_alias_get_directory (alias));
+				 gmenu_tree_alias_get_directory (alias),
+                 is_hidden);
 		break;

 	default:
@@ -1673,18 +1706,21 @@

 static GtkWidget *
 populate_menu_from_directory (GtkWidget          *menu,
-			      GMenuTreeDirectory *directory)
+			      GMenuTreeDirectory *directory,
+                  gboolean *is_hidden)
 {
 	GSList   *l;
 	GSList   *items;
 	gboolean  add_separator;

+    *is_hidden = TRUE;
 	add_separator = (GTK_MENU_SHELL (menu)->children != NULL);

 	items = gmenu_tree_directory_get_contents (directory);

 	for (l = items; l; l = l->next) {
 		GMenuTreeItem *item = l->data;
+        gboolean is_item_hidden = TRUE;

 		if (add_separator ||
 		    gmenu_tree_item_get_type (item) == GMENU_TREE_ITEM_SEPARATOR) {
@@ -1694,11 +1730,13 @@

 		switch (gmenu_tree_item_get_type (item)) {
 		case GMENU_TREE_ITEM_DIRECTORY:
-			create_submenu (menu, GMENU_TREE_DIRECTORY (item), NULL);
+			create_submenu (menu, GMENU_TREE_DIRECTORY (item), NULL,
+                            &is_item_hidden);
 			break;

 		case GMENU_TREE_ITEM_ENTRY:
-			create_menuitem (menu, GMENU_TREE_ENTRY (item), NULL);
+			create_menuitem (menu, GMENU_TREE_ENTRY (item), NULL,
+                             &is_item_hidden);
 			break;

 		case GMENU_TREE_ITEM_SEPARATOR :
@@ -1706,11 +1744,13 @@
 			break;

 		case GMENU_TREE_ITEM_ALIAS:
-			create_menuitem_from_alias (menu, GMENU_TREE_ALIAS (item));
+			create_menuitem_from_alias (menu, GMENU_TREE_ALIAS (item),
+                                        &is_item_hidden);
 			break;

 		case GMENU_TREE_ITEM_HEADER:
-			create_header (menu, GMENU_TREE_HEADER (item));
+			create_header (menu, GMENU_TREE_HEADER (item),
+                           &is_item_hidden);
 			break;

 		default:
@@ -1718,6 +1758,10 @@
 		}

 		gmenu_tree_item_unref (item);
+
+        if (!is_item_hidden) {
+            *is_hidden = FALSE;
+        }
 	}

 	g_slist_free (items);
diff -ruN gnome-panel-2.29.5.1.orig/gnome-panel/gnome-desktop-item-edit.c gnome-panel-2.29.5.1/gnome-panel/gnome-desktop-item-edit.c
--- gnome-panel-2.29.5.1.orig/gnome-panel/gnome-desktop-item-edit.c	2010-01-18 09:05:11.250044366 +0000
+++ gnome-panel-2.29.5.1/gnome-panel/gnome-desktop-item-edit.c	2010-01-18 09:06:41.525403508 +0000
@@ -103,6 +103,8 @@
 	bind_textdomain_codeset (GETTEXT_PACKAGE, "UTF-8");
 	textdomain (GETTEXT_PACKAGE);

+     panel_lockdown_init ();
+
 	if (!gtk_init_with_args (&argc, &argv,
 	                         _("- Edit .desktop files"),
 	                         options,
@@ -220,5 +222,7 @@
 	if (dialogs > 0)
 		gtk_main ();

+    panel_lockdown_finalize ();
+
         return 0;
 }
diff -ruN gnome-panel-2.29.5.1.rig/gnome-panel/launcher.c gnome-panel-2.29.5.1/gnome-panel/launcher.c
--- gnome-panel-2.29.5.1.rig/gnome-panel/launcher.c	2010-01-18 09:08:38.405535199 +0000
+++ gnome-panel-2.29.5.1/gnome-panel/launcher.c	2010-01-18 09:09:52.117045808 +0000
@@ -996,17 +996,18 @@
 	location = panel_make_unique_desktop_uri (NULL, exec_or_uri);

 	error = NULL;
-	if (panel_key_file_to_file (key_file, location, &error)) {
-		panel_launcher_create (toplevel, position, location);
-	} else {
-		panel_error_dialog (GTK_WINDOW (toplevel),
-				    gtk_window_get_screen (GTK_WINDOW (toplevel)),
-				    "cannot_save_launcher", TRUE,
-				    _("Could not save launcher"),
-				    error->message);
-		g_error_free (error);
-	}
-
+    if (!panel_lockdown_is_forbidden_key_file (key_file)) {
+           if (panel_key_file_to_file (key_file, location, &error)) {
+                   panel_launcher_create (toplevel, position, location);
+           } else {
+                   panel_error_dialog (GTK_WINDOW (toplevel),
+                                       gtk_window_get_screen (GTK_WINDOW (toplevel)),
+                                       "cannot_save_launcher", TRUE,
+                                       _("Could not save launcher"),
+                                       error->message);
+                   g_error_free (error);
+           }
+    }
 	g_key_file_free (key_file);
 }