Restrict access to permissions based on extension types.

chrome/common/extensions/extension.cc

Index: chrome/common/extensions/extension.cc
diff --git a/chrome/common/extensions/extension.cc b/chrome/common/extensions/extension.cc
index 1ea3041df5e8058805c7fa94ca67b851288751d1..8c991758c37385da6900e06701128523c7e12990 100644
--- a/chrome/common/extensions/extension.cc
+++ b/chrome/common/extensions/extension.cc
@@ -2846,21 +2846,20 @@ bool Extension::CanSpecifyAPIPermission(
     }
   }
 
-  if (is_hosted_app()) {
-    if (!CanSpecifyPermissionForHostedApp(permission)) {
-      // Some old versions of Chrome did not return errors here and we ended up
-      // with extensions in the store containing bad data: crbug.com/101993.
-      //
-      // TODO(aa): Consider just being a lot looser when loading and installing
-      // extensions. We can be strict when packing and in development mode. Then
-      // we won't have to maintain all these tricky backward compat issues:
-      // crbug.com/102328.
-      if (creation_flags_ & STRICT_ERROR_CHECKS) {
-        *error = ExtensionErrorUtils::FormatErrorMessage(
-            errors::kPermissionNotAllowed, permission->name());
-      }
-      return false;
+  if (location_ != Extension::COMPONENT &&
+      !CanSpecifyPermissionForType(permission)) {
+    // Some old versions of Chrome did not return errors here and we ended up
+    // with extensions in the store containing bad data: crbug.com/101993.
+    //
+    // TODO(aa): Consider just being a lot looser when loading and installing
+    // extensions. We can be strict when packing and in development mode. Then
+    // we won't have to maintain all these tricky backward compat issues:
+    // crbug.com/102328.
+    if (creation_flags_ & STRICT_ERROR_CHECKS) {

[Aaron Boodman, 2011/11/22 09:40:32]

I don't think we want to be lose with the errors for new types right? The
behavior with hosted apps was a mistake.

[Aaron Boodman, 2011/11/22 09:41:17]

sigh, *loose*

[jstritar, 2011/11/22 15:58:29]

Won't we run into this again?

http://b/issue?id=5514150

+      *error = ExtensionErrorUtils::FormatErrorMessage(
+          errors::kPermissionNotAllowed, permission->name());
     }
+    return false;
   }
 
   return true;
@@ -2901,15 +2900,21 @@ bool Extension::CanSpecifyExperimentalPermission() const {
   return false;
 }
 
-bool Extension::CanSpecifyPermissionForHostedApp(
+bool Extension::CanSpecifyPermissionForType(
     const ExtensionAPIPermission* permission) const {
-  if (location_ == Extension::COMPONENT)
-    return true;
-
-  if (permission->is_hosted_app())
-    return true;
-
-  return false;
+  switch (GetType()) {

[Aaron Boodman, 2011/11/22 09:40:32]

This is so short, you could just fold it into CanSpecifyAPIPermission() to
address my 'how is this different than...' comment.

[jstritar, 2011/11/22 15:58:29]

Done.

+    case TYPE_USER_SCRIPT: // Pass through.
+    case TYPE_EXTENSION:
+      return permission->supports_extensions();
+    case TYPE_HOSTED_APP:
+      return permission->supports_hosted_apps();
+    case TYPE_PACKAGED_APP:
+      return permission->supports_packaged_apps();
+    case TYPE_PLATFORM_APP:
+      return permission->supports_platform_apps();
+    default:
+      return false;
+  }
 }
 
 bool Extension::CanExecuteScriptEverywhere() const {