From e3afdce8647e144c2d0c81f48860138deb976cdf Mon Sep 17 00:00:00 2001
From: Brian Attwell <brianattwell@google.com>
Date: Wed, 27 May 2015 19:49:13 -0700
Subject: Stop enforcing {READ,WRITE}_PROFILE permissions

I should also remove all support for the Authorization
API from CP2 now that we've decided there is no need
for it. I'll leave cleaning this up for after I've
finished unbundling the Contacts app.

Bug: 21090207
Change-Id: I31e6ae7b0f49c3589071f6a95f8d69a9456c144d
---
 src/com/android/providers/contacts/ContactsProvider2.java | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

(limited to 'src/com/android/providers/contacts/ContactsProvider2.java')

diff --git a/src/com/android/providers/contacts/ContactsProvider2.java b/src/com/android/providers/contacts/ContactsProvider2.java
index 8fce6a6..cd4f876 100644
--- a/src/com/android/providers/contacts/ContactsProvider2.java
+++ b/src/com/android/providers/contacts/ContactsProvider2.java
@@ -203,6 +203,7 @@ import java.util.concurrent.CountDownLatch;
 public class ContactsProvider2 extends AbstractContactsProvider
         implements OnAccountsUpdateListener {
 
+    private static final String READ_PERMISSION = "android.permission.READ_CONTACTS";
     private static final String WRITE_PERMISSION = "android.permission.WRITE_CONTACTS";
 
     /* package */ static final String UPDATE_TIMES_CONTACTED_CONTACTS_TABLE =
@@ -1512,8 +1513,6 @@ public class ContactsProvider2 extends AbstractContactsProvider
         mProfileProvider = newProfileProvider();
         mProfileProvider.setDbHelperToSerializeOn(mContactsHelper, CONTACTS_DB_TAG, this);
         ProviderInfo profileInfo = new ProviderInfo();
-        profileInfo.readPermission = "android.permission.READ_PROFILE";
-        profileInfo.writePermission = "android.permission.WRITE_PROFILE";
         profileInfo.authority = ContactsContract.AUTHORITY;
         mProfileProvider.attachInfo(getContext(), profileInfo);
         mProfileHelper = mProfileProvider.getDatabaseHelper(getContext());
@@ -2200,14 +2199,13 @@ public class ContactsProvider2 extends AbstractContactsProvider
         waitForAccess(mReadAccessLatch);
         switchToContactMode();
         if (Authorization.AUTHORIZATION_METHOD.equals(method)) {
-            Uri uri = (Uri) extras.getParcelable(Authorization.KEY_URI_TO_AUTHORIZE);
+            Uri uri = extras.getParcelable(Authorization.KEY_URI_TO_AUTHORIZE);
 
             // Check permissions on the caller.  The URI can only be pre-authorized if the caller
-            // already has the necessary permissions.
+            // already has the necessary permissions. And, we can't rely on the ContentResolver to
+            // enforce permissions for the ContentProvider#call() method.
             enforceSocialStreamReadPermission(uri);
-            if (mapsToProfileDb(uri)) {
-                mProfileProvider.enforceReadPermission(uri);
-            }
+            ContactsPermissions.enforceCallingOrSelfPermission(getContext(), READ_PERMISSION);
 
             // If there hasn't been a security violation yet, we're clear to pre-authorize the URI.
             Uri authUri = preAuthorizeUri(uri);
-- 
cgit v1.1