Chromium Code Reviews Chromium Code Reviews
Issue 374853002:
Providing more information on why certain users can't be added to multi-profile (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chrome/browser/chromeos/login/users/multi_profile_user_controller.h" | 5 #include "chrome/browser/chromeos/login/users/multi_profile_user_controller.h" |
| 6 | 6 |
| 7 #include "base/bind.h" | 7 #include "base/bind.h" |
| 8 #include "base/memory/scoped_ptr.h" | 8 #include "base/memory/scoped_ptr.h" |
| 9 #include "base/prefs/pref_change_registrar.h" | 9 #include "base/prefs/pref_change_registrar.h" |
| 10 #include "base/prefs/pref_registry_simple.h" | 10 #include "base/prefs/pref_registry_simple.h" |
| (...skipping 69 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 80 registry->RegisterBooleanPref( | 80 registry->RegisterBooleanPref( |
| 81 prefs::kMultiProfileNeverShowIntro, | 81 prefs::kMultiProfileNeverShowIntro, |
| 82 false, | 82 false, |
| 83 user_prefs::PrefRegistrySyncable::SYNCABLE_PREF); | 83 user_prefs::PrefRegistrySyncable::SYNCABLE_PREF); |
| 84 registry->RegisterBooleanPref( | 84 registry->RegisterBooleanPref( |
| 85 prefs::kMultiProfileWarningShowDismissed, | 85 prefs::kMultiProfileWarningShowDismissed, |
| 86 false, | 86 false, |
| 87 user_prefs::PrefRegistrySyncable::SYNCABLE_PREF); | 87 user_prefs::PrefRegistrySyncable::SYNCABLE_PREF); |
| 88 } | 88 } |
| 89 | 89 |
| 90 bool MultiProfileUserController::IsUserAllowedInSession( | 90 MultiProfileUserController::UserAllowedInSessionReason |
|
James Cook
2014/08/11 17:01:34
can this function be static? or moved into the an
Roman Sorokin (ftl)
2014/08/11 17:41:45
made static
| |
| 91 const std::string& user_email, | 91 MultiProfileUserController::GetPrimaryUserPolicy() const { |
|
James Cook
2014/08/11 17:01:34
Pass in |primary_user| since you've already looked
Roman Sorokin (ftl)
2014/08/11 17:41:45
Actually I call this function from session_state_d
| |
| 92 MultiProfileUserController::UserAllowedInSessionReason* reason) const { | 92 chromeos::UserManager* user_manager = chromeos::UserManager::Get(); |
|
James Cook
2014/08/11 17:01:34
"chromeos::" not needed
Roman Sorokin (ftl)
2014/08/11 17:41:45
Done.
| |
| 93 UserManager* user_manager = UserManager::Get(); | |
| 94 CHECK(user_manager); | 93 CHECK(user_manager); |
| 95 | 94 |
| 96 const user_manager::User* primary_user = user_manager->GetPrimaryUser(); | 95 const user_manager::User* primary_user = user_manager->GetPrimaryUser(); |
| 97 std::string primary_user_email; | 96 if (!primary_user) |
| 98 if (primary_user) | 97 return MultiProfileUserController::ALLOWED; |
|
James Cook
2014/08/11 17:01:34
No need for MultiProfileUserController:: (unless y
Roman Sorokin (ftl)
2014/08/11 17:41:45
Done.
| |
| 99 primary_user_email = primary_user->email(); | 98 Profile* primary_user_profile = |
| 99 chromeos::ProfileHelper::Get()->GetProfileByUser(primary_user); | |
| 100 | 100 |
| 101 // Always allow if there is no primary user or user being checked is the | 101 std::string primary_user_email = primary_user->email(); |
| 102 // primary user. | |
| 103 if (primary_user_email.empty() || primary_user_email == user_email) | |
| 104 return SetUserAllowedReason(reason, ALLOWED); | |
| 105 | |
| 106 // Owner is not allowed to be secondary user. | |
| 107 if (user_manager->GetOwnerEmail() == user_email) | |
| 108 return SetUserAllowedReason(reason, NOT_ALLOWED_OWNER_AS_SECONDARY); | |
| 109 | |
| 110 // Don't allow profiles potentially tainted by data fetched with policy-pushed | |
| 111 // certificates to join a multiprofile session. | |
| 112 if (policy::PolicyCertServiceFactory::UsedPolicyCertificates(user_email)) | |
| 113 return SetUserAllowedReason(reason, NOT_ALLOWED_POLICY_CERT_TAINTED); | |
| 114 | 102 |
| 115 // Don't allow any secondary profiles if the primary profile is tainted. | 103 // Don't allow any secondary profiles if the primary profile is tainted. |
| 116 if (policy::PolicyCertServiceFactory::UsedPolicyCertificates( | 104 if (policy::PolicyCertServiceFactory::UsedPolicyCertificates( |
| 117 primary_user_email)) { | 105 primary_user_email)) { |
| 118 // Check directly in local_state before checking if the primary user has | 106 // Check directly in local_state before checking if the primary user has |
| 119 // a PolicyCertService. His profile may have been tainted previously though | 107 // a PolicyCertService. His profile may have been tainted previously though |
| 120 // he didn't get a PolicyCertService created for this session. | 108 // he didn't get a PolicyCertService created for this session. |
| 121 return SetUserAllowedReason(reason, | 109 return NOT_ALLOWED_PRIMARY_POLICY_CERT_TAINTED; |
| 122 NOT_ALLOWED_PRIMARY_POLICY_CERT_TAINTED); | |
| 123 } | 110 } |
| 124 | 111 |
| 125 // If the primary profile already has policy certificates installed but hasn't | 112 // If the primary profile already has policy certificates installed but hasn't |
| 126 // used them yet then it can become tainted at any time during this session; | 113 // used them yet then it can become tainted at any time during this session; |
| 127 // disable secondary profiles in this case too. | 114 // disable secondary profiles in this case too. |
| 128 Profile* primary_user_profile = | |
| 129 primary_user ? ProfileHelper::Get()->GetProfileByUser(primary_user) | |
| 130 : NULL; | |
| 131 policy::PolicyCertService* service = | 115 policy::PolicyCertService* service = |
| 132 primary_user_profile ? policy::PolicyCertServiceFactory::GetForProfile( | 116 primary_user_profile ? policy::PolicyCertServiceFactory::GetForProfile( |
| 133 primary_user_profile) | 117 primary_user_profile) |
| 134 : NULL; | 118 : NULL; |
| 135 if (service && service->has_policy_certificates()) | 119 if (service && service->has_policy_certificates()) |
| 136 return SetUserAllowedReason(reason, | 120 return NOT_ALLOWED_PRIMARY_POLICY_CERT_TAINTED; |
| 137 NOT_ALLOWED_PRIMARY_POLICY_CERT_TAINTED); | |
| 138 | 121 |
| 139 // No user is allowed if the primary user policy forbids it. | 122 // No user is allowed if the primary user policy forbids it. |
| 140 const std::string primary_user_behavior = | 123 const std::string primary_user_behavior = |
| 141 primary_user_profile->GetPrefs()->GetString( | 124 primary_user_profile->GetPrefs()->GetString( |
| 142 prefs::kMultiProfileUserBehavior); | 125 prefs::kMultiProfileUserBehavior); |
| 143 if (primary_user_behavior == kBehaviorNotAllowed) | 126 if (primary_user_behavior == kBehaviorNotAllowed) |
| 144 return SetUserAllowedReason(reason, | 127 return NOT_ALLOWED_PRIMARY_USER_POLICY_FORBIDS; |
| 145 NOT_ALLOWED_PRIMARY_USER_POLICY_FORBIDS); | 128 |
| 129 return MultiProfileUserController::ALLOWED; | |
|
James Cook
2014/08/11 17:01:34
ditto
Roman Sorokin (ftl)
2014/08/11 17:41:45
Done.
| |
| 130 } | |
| 131 | |
| 132 bool MultiProfileUserController::IsUserAllowedInSession( | |
| 133 const std::string& user_email, | |
| 134 MultiProfileUserController::UserAllowedInSessionReason* reason) const { | |
| 135 UserManager* user_manager = UserManager::Get(); | |
| 136 CHECK(user_manager); | |
| 137 | |
| 138 const user_manager::User* primary_user = user_manager->GetPrimaryUser(); | |
| 139 std::string primary_user_email; | |
| 140 if (primary_user) | |
| 141 primary_user_email = primary_user->email(); | |
| 142 | |
| 143 // Always allow if there is no primary user or user being checked is the | |
| 144 // primary user. | |
| 145 if (primary_user_email.empty() || primary_user_email == user_email) | |
| 146 return SetUserAllowedReason(reason, ALLOWED); | |
| 147 | |
| 148 // Owner is not allowed to be secondary user. | |
| 149 if (user_manager->GetOwnerEmail() == user_email) | |
| 150 return SetUserAllowedReason(reason, NOT_ALLOWED_OWNER_AS_SECONDARY); | |
| 151 | |
| 152 // Don't allow profiles potentially tainted by data fetched with policy-pushed | |
| 153 // certificates to join a multiprofile session. | |
| 154 if (policy::PolicyCertServiceFactory::UsedPolicyCertificates(user_email)) | |
| 155 return SetUserAllowedReason(reason, NOT_ALLOWED_POLICY_CERT_TAINTED); | |
| 156 | |
| 157 UserAllowedInSessionReason primary_user_policy = GetPrimaryUserPolicy(); | |
| 158 if (primary_user_policy != ALLOWED) | |
| 159 return SetUserAllowedReason(reason, primary_user_policy); | |
| 146 | 160 |
| 147 // The user must have 'unrestricted' policy to be a secondary user. | 161 // The user must have 'unrestricted' policy to be a secondary user. |
| 148 const std::string behavior = GetCachedValue(user_email); | 162 const std::string behavior = GetCachedValue(user_email); |
| 149 return SetUserAllowedReason( | 163 return SetUserAllowedReason( |
| 150 reason, | 164 reason, |
| 151 behavior == kBehaviorUnrestricted ? ALLOWED : NOT_ALLOWED_POLICY_FORBIDS); | 165 behavior == kBehaviorUnrestricted ? ALLOWED : NOT_ALLOWED_POLICY_FORBIDS); |
| 152 } | 166 } |
| 153 | 167 |
| 154 void MultiProfileUserController::StartObserving(Profile* user_profile) { | 168 void MultiProfileUserController::StartObserving(Profile* user_profile) { |
| 155 // Profile name could be empty during tests. | 169 // Profile name could be empty during tests. |
| (...skipping 69 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 225 } else { | 239 } else { |
| 226 const std::string behavior = | 240 const std::string behavior = |
| 227 prefs->GetString(prefs::kMultiProfileUserBehavior); | 241 prefs->GetString(prefs::kMultiProfileUserBehavior); |
| 228 SetCachedValue(user_email, behavior); | 242 SetCachedValue(user_email, behavior); |
| 229 } | 243 } |
| 230 | 244 |
| 231 CheckSessionUsers(); | 245 CheckSessionUsers(); |
| 232 } | 246 } |
| 233 | 247 |
| 234 } // namespace chromeos | 248 } // namespace chromeos |
| OLD | NEW |
