commit da1350f28011ef7ed6b02d514c3a86a8cc8007de
author Sander Alewijnse <salewijnse@google.com> Thu May 08 16:59:42 2014 +0100
committer Sander Alewijnse <salewijnse@google.com> Thu May 08 16:59:42 2014 +0100
tree 0ae86ceaf432ef0dbf41468674798a4cf99b69ed
parent 695015dd1116d7dea0de9bc58e77d633bf5cc045

AccountManager cannot modify accounts according to device policy.

Change-Id: Ied03b16c31312f7a4a934616c3c25b2481de818e

services/core/java/com/android/server/accounts/AccountManagerService.java

diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java
index f587ccc..b2aaf74 100644
--- a/services/core/java/com/android/server/accounts/AccountManagerService.java
+++ b/services/core/java/com/android/server/accounts/AccountManagerService.java
@@ -34,6 +34,7 @@
 import android.app.Notification;
 import android.app.NotificationManager;
 import android.app.PendingIntent;
+import android.app.admin.DevicePolicyManager;
 import android.content.BroadcastReceiver;
 import android.content.ComponentName;
 import android.content.ContentValues;
@@ -857,7 +858,7 @@
         checkManageAccountsPermission();
         UserHandle user = Binder.getCallingUserHandle();
         UserAccounts accounts = getUserAccountsForCaller();
-        if (!canUserModifyAccounts(Binder.getCallingUid())) {
+        if (!canUserModifyAccounts(Binder.getCallingUid(), account.type)) {
             try {
                 response.onError(AccountManager.ERROR_CODE_UNSUPPORTED_OPERATION,
                         "User cannot modify accounts");
@@ -1512,7 +1513,7 @@
         checkManageAccountsPermission();
 
         // Is user disallowed from modifying accounts?
-        if (!canUserModifyAccounts(Binder.getCallingUid())) {
+        if (!canUserModifyAccounts(Binder.getCallingUid(), accountType)) {
             try {
                 response.onError(AccountManager.ERROR_CODE_USER_RESTRICTED,
                         "User is not allowed to add an account!");
@@ -2758,7 +2759,7 @@
                 Manifest.permission.USE_CREDENTIALS);
     }
 
-    private boolean canUserModifyAccounts(int callingUid) {
+    private boolean canUserModifyAccounts(int callingUid, String accountType) {
         if (callingUid != Process.myUid()) {
             if (getUserManager().getUserRestrictions(
                     new UserHandle(UserHandle.getUserId(callingUid)))
@@ -2766,6 +2767,15 @@
                 return false;
             }
         }
+
+        DevicePolicyManager dpm = (DevicePolicyManager) mContext
+                .getSystemService(Context.DEVICE_POLICY_SERVICE);
+        String[] typesArray = dpm.getAccountTypesWithManagementDisabled();
+        for (String forbiddenType : typesArray) {
+            if (forbiddenType.equals(accountType)) {
+                return false;
+            }
+        }
         return true;
     }