PepperFileRefHost: Port to use explicit permission grants in ChildProcessSecurityPolicy.

content/browser/fileapi/browser_file_system_helper.cc

Index: content/browser/fileapi/browser_file_system_helper.cc
diff --git a/content/browser/fileapi/browser_file_system_helper.cc b/content/browser/fileapi/browser_file_system_helper.cc
index e8e81ce12362aa51871e5bc12a3da4d6705d8200..56f47bdb6e4968133944f05e9469d83d1862388c 100644
--- a/content/browser/fileapi/browser_file_system_helper.cc
+++ b/content/browser/fileapi/browser_file_system_helper.cc
@@ -92,6 +92,15 @@ scoped_refptr<fileapi::FileSystemContext> CreateFileSystemContext(
   return file_system_context;
 }
 
+bool FileSystemURLIsValid(
+    fileapi::FileSystemContext* context,
+    const fileapi::FileSystemURL& url) {
+  if (!url.is_valid())
+    return false;
+
+  return context->GetFileSystemBackend(url.type()) != NULL;
+}
+
 bool CheckFileSystemPermissionsForProcess(
     fileapi::FileSystemContext* context, int process_id,
     const fileapi::FileSystemURL& url, int permissions,
@@ -99,14 +108,7 @@ bool CheckFileSystemPermissionsForProcess(
   DCHECK(error);
   *error = base::PLATFORM_FILE_OK;
 
-  if (!url.is_valid()) {
-    *error = base::PLATFORM_FILE_ERROR_INVALID_URL;
-    return false;
-  }
-
-  fileapi::FileSystemBackend* mount_point_provider =
-      context->GetFileSystemBackend(url.type());
-  if (!mount_point_provider) {
+  if (!FileSystemURLIsValid(context, url)) {
     *error = base::PLATFORM_FILE_ERROR_INVALID_URL;
     return false;
   }
@@ -131,15 +133,15 @@ void SyncGetPlatformPath(fileapi::FileSystemContext* context,
   DCHECK(platform_path);
   *platform_path = base::FilePath();
   fileapi::FileSystemURL url(context->CrackURL(path));
-  if (!url.is_valid())
+  if (!FileSystemURLIsValid(context, url))
     return;
 
   // Make sure if this file is ok to be read (in the current architecture
   // which means roughly same as the renderer is allowed to get the platform
   // path to the file).
-  base::PlatformFileError error;
-  if (!CheckFileSystemPermissionsForProcess(
-      context, process_id, url, fileapi::kReadFilePermissions, &error))
+  ChildProcessSecurityPolicyImpl* policy =
+      ChildProcessSecurityPolicyImpl::GetInstance();
+  if (!policy->CanReadFileSystemFile(process_id, url))
     return;
 
   context->operation_runner()->SyncGetPlatformPath(url, platform_path);
@@ -147,11 +149,8 @@ void SyncGetPlatformPath(fileapi::FileSystemContext* context,
   // The path is to be attached to URLLoader so we grant read permission
   // for the file. (We first need to check if it can already be read not to
   // overwrite existing permissions)
-  if (!ChildProcessSecurityPolicyImpl::GetInstance()->CanReadFile(
-          process_id, *platform_path)) {
-    ChildProcessSecurityPolicyImpl::GetInstance()->GrantReadFile(
-        process_id, *platform_path);
-  }
+  if (!policy->CanReadFile(process_id, *platform_path))

[Tom Sepez, 2013/07/19 18:39:28]

Is this still the case?  Don't the permissions have to or with each other now?
Considering each one of these is a lock get, I'd like to just set it
irrespectively.

[tommycli, 2013/07/23 21:12:35]

Done. I see no harm in setting it irrespectively.

+    policy->GrantReadFile(process_id, *platform_path);
 }
 
 }  // namespace content