Skip to content
Commit c533b566 authored by Fyodor Kupolov's avatar Fyodor Kupolov
Browse files

Lock down access to getProfiles for 3P apps 

MANAGE_USERS permission is not required if calling userId is the same as
requested user id. Theoretically this allows any 3P app to read UserInfo
state including PII fields like name and icon. The change clears PII fields
if the caller doesn't have MANAGE_USERS permission.

Bug: 27705805
Change-Id: Ic69c8cc6aafb7ac72b4fc2b9691cb8e4bef3fb2c
parent 50e229f1
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment