diff options
author | Jae Seo <jaeseo@google.com> | 2014-08-13 15:27:20 -0700 |
---|---|---|
committer | Jae Seo <jaeseo@google.com> | 2014-08-13 16:26:48 -0700 |
commit | 2f1a3b6808ac14bc024deca6139d72a648f8b43a (patch) | |
tree | f9101ef48326be167be95d5cc0aab5709d208020 | |
parent | 55d148657809a115754aa06de2e20147f8a98696 (diff) | |
download | TvProvider-2f1a3b6808ac14bc024deca6139d72a648f8b43a.tar.gz |
Require MODIFY_PARENTAL_CONTROLS permission to update COLUMN_LOCKED
Since the locked column (TvContract.Channels.COLUMN_LOCKED) is used for
parental control it should be restricted by the parental control
permission (android.permission.MODIFY_PARENTAL_CONTROLS).
Bug: 16992858
Change-Id: I0129e85dbc1fddde612ee1a51ab8c836eb9272bf
-rw-r--r-- | src/com/android/providers/tv/TvProvider.java | 25 |
1 files changed, 18 insertions, 7 deletions
diff --git a/src/com/android/providers/tv/TvProvider.java b/src/com/android/providers/tv/TvProvider.java index a795f97..234a58f 100644 --- a/src/com/android/providers/tv/TvProvider.java +++ b/src/com/android/providers/tv/TvProvider.java @@ -429,7 +429,7 @@ public class TvProvider extends ContentProvider { public Cursor query(Uri uri, String[] projection, String selection, String[] selectionArgs, String sortOrder) { if (needsToLimitPackage(uri) && !TextUtils.isEmpty(sortOrder)) { - throw new IllegalArgumentException("Sort order not allowed for " + uri); + throw new SecurityException("Sort order not allowed for " + uri); } SqlParams params = createSqlParams(OP_QUERY, uri, selection, selectionArgs); @@ -562,7 +562,12 @@ public class TvProvider extends ContentProvider { @Override public int update(Uri uri, ContentValues values, String selection, String[] selectionArgs) { SqlParams params = createSqlParams(OP_UPDATE, uri, selection, selectionArgs); - if (params.getTables().equals(PROGRAMS_TABLE)) { + if (params.getTables().equals(CHANNELS_TABLE)) { + if (values.containsKey(Channels.COLUMN_LOCKED) + && !callerHasModifyParentalControlsPermission()) { + throw new SecurityException("Not allowed to modify Channels.COLUMN_LOCKED"); + } + } else if (params.getTables().equals(PROGRAMS_TABLE)) { checkAndConvertGenre(values); } SQLiteDatabase db = mOpenHelper.getWritableDatabase(); @@ -579,7 +584,7 @@ public class TvProvider extends ContentProvider { SqlParams params = new SqlParams(null, selection, selectionArgs); if (needsToLimitPackage(uri)) { if (!TextUtils.isEmpty(selection)) { - throw new IllegalArgumentException("Selection not allowed for " + uri); + throw new SecurityException("Selection not allowed for " + uri); } params.setWhere(BaseTvColumns.COLUMN_PACKAGE_NAME + "=?", getCallingPackage_()); } @@ -590,7 +595,7 @@ public class TvProvider extends ContentProvider { params.setTables(CHANNELS_TABLE); } else { if (!operation.equals(OP_QUERY)) { - throw new IllegalArgumentException(capitalize(operation) + throw new SecurityException(capitalize(operation) + " not allowed for " + uri); } if (!Genres.isCanonical(genre)) { @@ -747,14 +752,20 @@ public class TvProvider extends ContentProvider { // user's watch log is treated separately with a special permission. int match = sUriMatcher.match(uri); return match != MATCH_WATCHED_PROGRAM && match != MATCH_WATCHED_PROGRAM_ID - && !callerHasFullEpgAccess(); + && !callerHasAccessAllEpgDataPermission(); } - private boolean callerHasFullEpgAccess() { + private boolean callerHasAccessAllEpgDataPermission() { return getContext().checkCallingOrSelfPermission(PERMISSION_ACCESS_ALL_EPG_DATA) == PackageManager.PERMISSION_GRANTED; } + private boolean callerHasModifyParentalControlsPermission() { + return getContext().checkCallingOrSelfPermission( + android.Manifest.permission.MODIFY_PARENTAL_CONTROLS) + == PackageManager.PERMISSION_GRANTED; + } + @Override public ParcelFileDescriptor openFile(Uri uri, String mode) throws FileNotFoundException { switch (sUriMatcher.match(uri)) { @@ -770,7 +781,7 @@ public class TvProvider extends ContentProvider { SqlParams params = new SqlParams(CHANNELS_TABLE, Channels._ID + "=?", String.valueOf(channelId)); - if (!callerHasFullEpgAccess()) { + if (!callerHasAccessAllEpgDataPermission()) { params.appendWhere(Channels.COLUMN_PACKAGE_NAME + "=?", getCallingPackage_()); } |