Closed Bug 818583 Opened 8 years ago Closed 8 years ago

Permissions Installer - states that a privileged app can access device-storage:apps via PROMPT_ACTION, but permissions matrix states it should be DENY_ACTION

Categories

(Firefox OS Graveyard :: General, defect, P1)

ARM
Gonk (Firefox OS)
defect

Tracking

(blocking-basecamp:+, firefox18 fixed, firefox19 fixed, firefox20 fixed, b2g18 fixed)

RESOLVED FIXED
B2G C2 (20nov-10dec)
blocking-basecamp +
Tracking Status
firefox18 --- fixed
firefox19 --- fixed
firefox20 --- fixed
b2g18 --- fixed

People

(Reporter: jsmith, Assigned: gwagner)

References

Details

(Whiteboard: [qa-])

Attachments

(2 files)

The permissions installer states the following about device-storage:apps:

74                            "device-storage:apps": {
75                              app: DENY_ACTION,
76                              privileged: PROMPT_ACTION,
77                              certified: ALLOW_ACTION,
78                              access: ["read", "write", "create"]
79                            },

However, the permissions matrix says it should be DENY_ACTION for a privileged app.
blocking-basecamp: --- → ?
Same comment as the others:

- If doc is wrong - minus and state to update doc
- If code is wrong, let's + and fix this
Spoke with Gregor in IRC - all of them going his way to resolve the contention.
Assignee: nobody → anygregor
blocking-basecamp: ? → +
I believe this permission allows access to the entire apps directory, right?  If so we should definitely fix the code to match the perms matrix.
Priority: -- → P1
There are two changes needed here:

privileged should be DENY_ACTION and the access property should just be ["read"]
Attached file pointer
Attachment #689400 - Flags: review?(jonas)
Attached patch patchSplinter Review
Attachment #689402 - Flags: review?(jonas)
Whiteboard: [qa-]
Whiteboard: [qa-] → [qa-][status-b2g18:fixed]
Whiteboard: [qa-][status-b2g18:fixed] → [qa-]
Attachment mime type: text/plain → text/x-github-pull-request
You need to log in before you can comment on or make changes to this bug.