Closed Bug 1036423 Opened 5 years ago Closed 5 years ago

Reintroduce "permissions" permission.

Categories

(Firefox OS Graveyard :: FindMyDevice, defect)

x86
macOS
defect
Not set

Tracking

(blocking-b2g:2.0+, b2g-v2.0 fixed, b2g-v2.1 fixed)

RESOLVED FIXED
2.0 S6 (18july)
blocking-b2g 2.0+
Tracking Status
b2g-v2.0 --- fixed
b2g-v2.1 --- fixed

People

(Reporter: ggp, Assigned: ggp)

Details

Attachments

(1 file)

46 bytes, text/x-github-pull-request
ferjm
: review+
Details | Review
Bug 1032903 removed the "permissions" permission from FMD. As it turns out, this permission controls access to the mozPermissionSettings API, which is needed by the track command. We need to reintroduce the permission, and "track" will be broken until we do.
Target Milestone: --- → 2.0 S6 (18july)
Attached file gaia pull request
Sorry for overlooking this, here's a patch.
Attachment #8453126 - Flags: review?(lissyx+mozillians)
blocking-b2g: --- → 2.0?
Attachment #8453126 - Flags: review?(lissyx+mozillians) → review+
Keywords: checkin-needed
blocking-b2g: 2.0? → 2.0+
How come this doesn't have a proper security and webapi review? The 'permission' permission is probably the API that can cause the most damage for the user.
Flags: needinfo?(ggoncalves)
This bug is just about restoring a permission that was accidentally removed in another patch, so I assume you are questioning its introduction in the first place. The 'permission' permission was added back in bug 938901, when FMD first landed on Gaia after being reviewed by a module owner. FMD has since gone through a client-side security review (bug 938357) as well, but no issues related to permissions were raised.

If there was any other review procedure we should have followed, for either this bug or bug 938901, I wasn't aware of it, and I apologize. Please let me know what we can do about it, and I'll make sure this doesn't happen again.
Flags: needinfo?(ggoncalves)
(In reply to Guilherme Gonçalves [:ggp] from comment #5)
> This bug is just about restoring a permission that was accidentally removed
> in another patch, so I assume you are questioning its introduction in the
> first place. The 'permission' permission was added back in bug 938901, when
> FMD first landed on Gaia after being reviewed by a module owner. FMD has
> since gone through a client-side security review (bug 938357) as well, but
> no issues related to permissions were raised.
> 
> If there was any other review procedure we should have followed, for either
> this bug or bug 938901, I wasn't aware of it, and I apologize. Please let me
> know what we can do about it, and I'll make sure this doesn't happen again.

Using the permission API for this use-case is pretty big overkill. We should rather fix it in another way. I talked to Jonas about this and the easiest fix is to introduce a geolocation-noprompt permission.
Fair enough, I filed bug 1058330 for the FMD changes.
Dear Guilherme,
Could you please provide a repro video or steps, thanks!
Flags: needinfo?(ggoncalves)
This change ended up being reverted by bug 1058330, in which we replaced the 'permissions' permission with 'geolocation-noprompt'. Verifying this only requires making sure that FMD manages to track a device successfully without triggering the geolocation permission prompt.
Flags: needinfo?(ggoncalves)
You need to log in before you can comment on or make changes to this bug.