Protect undemote method with permission check
Undemoting goes through a separate code path as the rest of the
CP2 queries/updates, so we need to do a permission check for the
WRITE_CONTACTS permission
Change-Id: I547270376c55f6ff311d5712eef8a6b0b923eee8
diff --git a/src/com/android/providers/contacts/ContactsProvider2.java b/src/com/android/providers/contacts/ContactsProvider2.java
index f2adadb..7142459 100644
--- a/src/com/android/providers/contacts/ContactsProvider2.java
+++ b/src/com/android/providers/contacts/ContactsProvider2.java
@@ -193,6 +193,8 @@
public class ContactsProvider2 extends AbstractContactsProvider
implements OnAccountsUpdateListener {
+ private static final String WRITE_PERMISSION = "android.permission.WRITE_CONTACTS";
+
/* package */ static final String UPDATE_TIMES_CONTACTED_CONTACTS_TABLE =
"UPDATE " + Tables.CONTACTS + " SET " + Contacts.TIMES_CONTACTED + "=" +
" ifnull(" + Contacts.TIMES_CONTACTED + ",0)+1" +
@@ -2181,6 +2183,7 @@
response.putParcelable(Authorization.KEY_AUTHORIZED_URI, authUri);
return response;
} else if (PinnedPositions.UNDEMOTE_METHOD.equals(method)) {
+ getContext().enforceCallingOrSelfPermission(WRITE_PERMISSION, null);
final long id;
try {
id = Long.valueOf(arg);