Reintroduce "permissions" permission.

RESOLVED FIXED in Firefox OS v2.0

Status

Firefox OS
FindMyDevice
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: ggp, Assigned: ggp)

Tracking

unspecified
2.0 S6 (18july)
x86
Mac OS X

Firefox Tracking Flags

(blocking-b2g:2.0+, b2g-v2.0 fixed, b2g-v2.1 fixed)

Details

Attachments

(1 attachment)

46 bytes, text/x-github-pull-request
On parental leave
: review+
Details | Review | Splinter Review
(Assignee)

Description

3 years ago
Bug 1032903 removed the "permissions" permission from FMD. As it turns out, this permission controls access to the mozPermissionSettings API, which is needed by the track command. We need to reintroduce the permission, and "track" will be broken until we do.

Updated

3 years ago
Target Milestone: --- → 2.0 S6 (18july)
(Assignee)

Comment 1

3 years ago
Created attachment 8453126 [details] [review]
gaia pull request

Sorry for overlooking this, here's a patch.
Attachment #8453126 - Flags: review?(lissyx+mozillians)

Updated

3 years ago
blocking-b2g: --- → 2.0?

Updated

3 years ago
Attachment #8453126 - Flags: review?(lissyx+mozillians) → review+
(Assignee)

Updated

3 years ago
Keywords: checkin-needed
Looks good on gaia-try[1], merging.

Master: https://github.com/mozilla-b2g/gaia/commit/bc59445675c1cadefdd9d6b2db185aca7b2f099d

[1] https://tbpl.mozilla.org/?rev=a00a82bb082927d43f3f0a7a3059560705142c8f&tree=Gaia-Try
Status: NEW → RESOLVED
Last Resolved: 3 years ago
status-b2g-v2.1: --- → fixed
Keywords: checkin-needed
Resolution: --- → FIXED

Updated

3 years ago
blocking-b2g: 2.0? → 2.0+
v2.0: https://github.com/mozilla-b2g/gaia/commit/6af4a6a5d0b5b420c59cf5c856cd5a13ee35aac9
status-b2g-v2.0: --- → fixed
How come this doesn't have a proper security and webapi review? The 'permission' permission is probably the API that can cause the most damage for the user.
Flags: needinfo?(ggoncalves)
(Assignee)

Comment 5

3 years ago
This bug is just about restoring a permission that was accidentally removed in another patch, so I assume you are questioning its introduction in the first place. The 'permission' permission was added back in bug 938901, when FMD first landed on Gaia after being reviewed by a module owner. FMD has since gone through a client-side security review (bug 938357) as well, but no issues related to permissions were raised.

If there was any other review procedure we should have followed, for either this bug or bug 938901, I wasn't aware of it, and I apologize. Please let me know what we can do about it, and I'll make sure this doesn't happen again.
Flags: needinfo?(ggoncalves)
(In reply to Guilherme Gonçalves [:ggp] from comment #5)
> This bug is just about restoring a permission that was accidentally removed
> in another patch, so I assume you are questioning its introduction in the
> first place. The 'permission' permission was added back in bug 938901, when
> FMD first landed on Gaia after being reviewed by a module owner. FMD has
> since gone through a client-side security review (bug 938357) as well, but
> no issues related to permissions were raised.
> 
> If there was any other review procedure we should have followed, for either
> this bug or bug 938901, I wasn't aware of it, and I apologize. Please let me
> know what we can do about it, and I'll make sure this doesn't happen again.

Using the permission API for this use-case is pretty big overkill. We should rather fix it in another way. I talked to Jonas about this and the easiest fix is to introduce a geolocation-noprompt permission.
(Assignee)

Comment 7

3 years ago
Fair enough, I filed bug 1058330 for the FMD changes.
Dear Guilherme,
Could you please provide a repro video or steps, thanks!
Flags: needinfo?(ggoncalves)
(Assignee)

Comment 9

3 years ago
This change ended up being reverted by bug 1058330, in which we replaced the 'permissions' permission with 'geolocation-noprompt'. Verifying this only requires making sure that FMD manages to track a device successfully without triggering the geolocation permission prompt.
Flags: needinfo?(ggoncalves)
You need to log in before you can comment on or make changes to this bug.