1125289 - KidFox: Restricted profiles - Hide all add-ons and apps installation/removal features and related UI

Status: VERIFIED FIXED

(Firefox for Android Graveyard :: Profile Handling, defect)

Comment 1

[Sebastian Kaspari (:sebastian; :pocmo)]

Attachment: 1125289-part1-disallow.patch

This patch and the following build up on the changes made in bug 1180653.

Part 1: Disallow installation of add-ons and apps.

Comment 2

[Sebastian Kaspari (:sebastian; :pocmo)]

Attachment: 1125289-part2-about_addons.patch

Part 2: Disallow browsing about:addons if DISALLOW_INSTALL_EXTENSION restriction is enforced.

Comment 3

[Allison Naaktgeboren :ally]

Comment on attachment 8637908 [details] [diff] [review]
1125289-part1-disallow.patch

Review of attachment 8637908 [details] [diff] [review]:
-----------------------------------------------------------------

This is so much nicer to read. :)

Comment 4

[Allison Naaktgeboren :ally]

Comment on attachment 8637940 [details] [diff] [review]
1125289-part2-about_addons.patch

Review of attachment 8637940 [details] [diff] [review]:
-----------------------------------------------------------------

So, this seems to work, and we could probably land this for v1 without suffering too much. 

That said, I am concerned that this is not the best approach. I would have though AboutRedirector.java would be a better place as it controls the access to the about: urls. 

Margaret, thoughts?

Comment 5

[:Margaret Leibovic]

Comment on attachment 8637940 [details] [diff] [review]
1125289-part2-about_addons.patch

Review of attachment 8637940 [details] [diff] [review]:
-----------------------------------------------------------------

::: mobile/android/base/RestrictedProfiles.java
@@ +277,5 @@
> +        if (restriction == Restriction.DISALLOW_BROWSE_FILES
> +            && url.toLowerCase().startsWith(ABOUT_ADDONS)
> +            && !isAllowed(context, Restriction.DISALLOW_INSTALL_EXTENSION)) {
> +            return false;
> +        }

This seems fine to me.

Does this also catch URLs opened from JS? If it doesn't I suppose that means we have bigger problems to deal with.

Comment 6

[Sebastian Kaspari (:sebastian; :pocmo)]

url:        https://hg.mozilla.org/integration/fx-team/rev/2b241cb3d78832537aca9d72c5b933dcdb55eff7
changeset:  2b241cb3d78832537aca9d72c5b933dcdb55eff7
user:       Sebastian Kaspari <s.kaspari@gmail.com>
date:       Tue Jul 28 13:40:37 2015 +0200
description:
Bug 1125289 - (Part 1) Disallow installing add-ons and apps. r=ally

Comment 7

[Sebastian Kaspari (:sebastian; :pocmo)]

Added 'leave-open' because I only landed part 1 so far.

(In reply to :Margaret Leibovic from comment #5)
> Does this also catch URLs opened from JS? If it doesn't I suppose that means
> we have bigger problems to deal with.

Yeah, I tried redirecting using window.location='..' and for guest/restricted profiles this method is called.

@Ally: Do we want to land part 2 as-is for v1?

Comment 8

[:Margaret Leibovic]

Comment on attachment 8637940 [details] [diff] [review]
1125289-part2-about_addons.patch

Drive-by r+ :)

Comment 9

[Wes Kocher (:KWierso) (Not reading bugmail; email directly if needed)]

https://hg.mozilla.org/mozilla-central/rev/2b241cb3d788

Comment 10

[Allison Naaktgeboren :ally]

sounds like margaret has given you an r+ to land as is. go for it.

Comment 11

[Sebastian Kaspari (:sebastian; :pocmo)]

url:        https://hg.mozilla.org/integration/fx-team/rev/ae3706a5cb96da2f5a645f3b6867652f7b451311
changeset:  ae3706a5cb96da2f5a645f3b6867652f7b451311
user:       Sebastian Kaspari <s.kaspari@gmail.com>
date:       Tue Jul 28 14:20:51 2015 +0200
description:
Bug 1125289 - Restricted profiles: Disallow browsing about:addons. r=margaret

Comment 12

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/mozilla-central/rev/ae3706a5cb96

Comment 13

[u549602]

Verified as fixed on latest Aurora