commit | c533b566ff60041d4964765ce09a3da78e8866ca | [log] [tgz] |
---|---|---|
author | Fyodor Kupolov <fkupolov@google.com> | Fri Apr 01 14:37:07 2016 -0700 |
committer | Fyodor Kupolov <fkupolov@google.com> | Wed Apr 06 14:53:04 2016 -0700 |
tree | f607cd7f0c0c179ccf5703b326e4368369e0668c | |
parent | 50e229f1f45a1550ba13ec3f81e864630fc3dc1c [diff] |
Lock down access to getProfiles for 3P apps MANAGE_USERS permission is not required if calling userId is the same as requested user id. Theoretically this allows any 3P app to read UserInfo state including PII fields like name and icon. The change clears PII fields if the caller doesn't have MANAGE_USERS permission. Bug: 27705805 Change-Id: Ic69c8cc6aafb7ac72b4fc2b9691cb8e4bef3fb2c