GNOME - set personal default printer

Hi,

I want users to be able to set personal default printers. System-wide default printer must not be changed. In Fedora Workstation 40 in gnome-control-center printers in printers’ ⋮ button the “Use Printer by Default” option is grey, i.e. cannot be run.

Granting PolicyKit action “org.opensuse.cupspkhelper.mechanism.printer-set-default” is not sufficient. “Use Printer by Default” cannot be run.
Granting “org.opensuse.cupspkhelper.mechanism.all-edit” allows to run “Use Printer by Default”, but also unlocks the GNOME settings menu.

Any downside to granting “all-edit” (option 2) for my environment? It seems to be safe, but it feels wrong.

Did I miss another option?

It would be nice if GNOME would allow users to set personal default printers without “all-edit”. In a few days I will ask at GNOME to add in ⋮ button “Use Printer by Default (personal)”. Or do I have to take it to OpenPrinting CUPS?

Environment
CentOS Stream 9 server “cups” as CUPS server, on which printers are configured and shared. Only networked printers are used. The Fedora 40 clients get configured to ask cups for printer list and with a system-wide default printer:

$ cat /etc/cups/client.conf
ServerName cups
DigestOptions DenyMD5
$ cat /etc/cups/lpoptions 
# default printer
Default printer0

Users do not have administrative rights. All users can use all printers. Users cannot change the local system-wide default printer. That is fine with PCs. But users with notebooks moving around want to change the personal default printer. This allows using the nearest printer and avoids selecting the printer in the printer list for each print job. I found options. Both work.

Option 1
$ sudo dnf install -y system-config-printer
$ system-config-printer followed by right click on printer – Set As Default – |x| Set as my personal default printer – [OK]

A heart icon will appear on top of the printer. A user-specific file has been created/changed:

$ cat ${HOME}/.cups/lpoptions
Default printer1

pro: easy to use; works on different desktop environments, f.i. Xfce
contra: additional program must be installed

Option 2
$ gnome-control-center printers

All printers are listed. Good.
The menu is locked (see top righ corner). Users cannot unlock the menu. Good. Users must not add/remove/edit printers.
In the printers’ ⋮ button the “Use Printer by Default” option cannot be run. Bad. Users must be able to set personal default printer.

A sudo-based solution gave too much privileges to the users.
I noticed PolicyKit offers CUPS-related actions:

$ pkaction  | grep -i cups
org.opensuse.cupspkhelper.mechanism.all-edit
org.opensuse.cupspkhelper.mechanism.class-edit
org.opensuse.cupspkhelper.mechanism.devices-get
org.opensuse.cupspkhelper.mechanism.job-edit
org.opensuse.cupspkhelper.mechanism.job-not-owned-edit
org.opensuse.cupspkhelper.mechanism.printer-enable
org.opensuse.cupspkhelper.mechanism.printer-local-edit
org.opensuse.cupspkhelper.mechanism.printer-remote-edit
org.opensuse.cupspkhelper.mechanism.printer-set-default
org.opensuse.cupspkhelper.mechanism.printeraddremove
org.opensuse.cupspkhelper.mechanism.server-settings

In “/usr/share/polkit-1/actions/org.opensuse.cupspkhelper.mechanism.policy” you can read:

...
  <!-- Exists mainly so that it's possible to not require a password for this
       operation: if some authorization is required, then the PolicyKit helper
       will fallback on printer-X-edit. -->
  <action id="org.opensuse.cupspkhelper.mechanism.printer-set-default">
    <description>Set a printer as default printer</description>
...
    <message>Privileges are required to set a printer, or a class, as default printer.</message>
...
    <defaults>
      <allow_any>auth_admin</allow_any>
      <allow_inactive>auth_admin</allow_inactive>
      <allow_active>auth_admin_keep</allow_active>
    </defaults>
  </action>

“printer-set-default” does not allow “Use Printer by Default” to be run. When an admin user unlocks the GNOME printers menu, then the item can be run. But I guess this is due to admin unlocking, not the setting.
“all-edit” allows “Use Printer by Default” to be run. This works for me:

$ sudo vim "/etc/polkit-1/rules.d/42-cups-helper.rules"
/* Allow anyone to execute the defined action
 * to set personal default printer with GNOME printer settings
 */
polkit.addRule(function(action, subject) {
        if (action.id == "org.opensuse.cupspkhelper.mechanism.all-edit")
        {
                return polkit.Result.YES;
        }
});

Users can change the printer settings, but they immediately change back to previous values.

When a user runs “Use Printer by Default” then a user-specific file gets created/updated:

$ cat ${HOME}/.cups/lpoptions
Default printer2

pro: easy to use; GNOME’s printer settings menu can be used
contra: works only in GNOME, not in Xfce (no problem here)

I commented in this upstream ticket: https://gitlab.gnome.org/GNOME/gnome-control-center/-/issues/673

That ticket got deleted. I do not know why. It had a crosslink to Printers: redesign panel (#38) · Issues · Teams / Design / settings-mockups · GitLab but the crosslink is gone too. It was removed from my GitLab stats too.

For further investigation I created commenting an issue (open, owned by Ghost User) got it deleted (#1661) · Issues · Infrastructure / Infrastructure · GitLab

I add printers via CUPs web interface directly: http://localhost:631/admin

And log-in with a regular user on Fedora (openSUSE and other distros require root and imply system-wide)

That implies to me that the printer is added and set as-default only for that regular user on Fedora, but I haven’t checked how that ends up from other users.

http://localhost:631/admin does not accept password of regular user due to remote user directory. With local user account I can log in, but website prints:

Forbidden
Your account does not have the necessary privileges.

Users do not have administrative rights or root password.

man lpoptions

-d destination[/instance]
Sets the user default printer to destination. If instance is supplied then that particular
instance is used. This option overrides the system default printer for the current user.