1824346 - addons actor allows uninstallation of any add-on, not just the temporarily loaded ones

Status: RESOLVED FIXED

(WebExtensions :: Developer Tools, task, P3)

Description

[Rob Wu [:robwu]]

The uninstallAddon method of the addons actor was introduced in bug 1823457 to support the removal of temporarily loaded extensions. The implementation is quite generic, and allows uninstallation of any extension: https://searchfox.org/mozilla-central/rev/6fc2f6d5335fb6f70f780b5fea5ed77b0719c3b5/devtools/server/actors/addon/addons.js#70-72

The logic above does not check for the presence of AddonManager.PERM_CAN_UNINSTALL, and consequently the remote debugging protocol could be used to uninstall an add-on despite enterprise policy settings.

Since we don't need to support uninstallation of any add-on, we should adjust the check to only permit the uninstallation of temporarily installed extensions. If we ever need to expand it, we should at least check for PERM_CAN_UNINSTALL prior to calling addon.uninstall().

Comment 1

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1823457

:willdurand, since you are the author of the regressor, bug 1823457, could you take a look? Also, could you set the severity field?

For more information, please visit auto_nag documentation.

Comment 2

[William Durand [:willdurand]]

Attachment: Bug 1824346 - Only uninstall temporary add-ons. r?jdescottes!,robwu!

Comment 3

[Pulsebot]

Pushed by wdurand@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/a1b3b4fb4c40
Only uninstall temporary add-ons. r=jdescottes,robwu,devtools-reviewers

Comment 4

[Marian-Vasile Laza]

https://hg.mozilla.org/mozilla-central/rev/a1b3b4fb4c40