| Index: chrome/browser/chromeos/login/users/multi_profile_user_controller.cc
|
| diff --git a/chrome/browser/chromeos/login/users/multi_profile_user_controller.cc b/chrome/browser/chromeos/login/users/multi_profile_user_controller.cc
|
| index 4f325edcb8eeb6dfbca139054af1994c268919b7..dc1b5268fdc6ec4556729d591624b19d85ca1e9f 100644
|
| --- a/chrome/browser/chromeos/login/users/multi_profile_user_controller.cc
|
| +++ b/chrome/browser/chromeos/login/users/multi_profile_user_controller.cc
|
| @@ -87,30 +87,19 @@ void MultiProfileUserController::RegisterProfilePrefs(
|
| user_prefs::PrefRegistrySyncable::SYNCABLE_PREF);
|
| }
|
|
|
| -bool MultiProfileUserController::IsUserAllowedInSession(
|
| - const std::string& user_email,
|
| - MultiProfileUserController::UserAllowedInSessionReason* reason) const {
|
| +// static
|
| +MultiProfileUserController::UserAllowedInSessionReason
|
| +MultiProfileUserController::GetPrimaryUserPolicy() {
|
| UserManager* user_manager = UserManager::Get();
|
| CHECK(user_manager);
|
|
|
| const user_manager::User* primary_user = user_manager->GetPrimaryUser();
|
| - std::string primary_user_email;
|
| - if (primary_user)
|
| - primary_user_email = primary_user->email();
|
| -
|
| - // Always allow if there is no primary user or user being checked is the
|
| - // primary user.
|
| - if (primary_user_email.empty() || primary_user_email == user_email)
|
| - return SetUserAllowedReason(reason, ALLOWED);
|
| -
|
| - // Owner is not allowed to be secondary user.
|
| - if (user_manager->GetOwnerEmail() == user_email)
|
| - return SetUserAllowedReason(reason, NOT_ALLOWED_OWNER_AS_SECONDARY);
|
| + if (!primary_user)
|
| + return ALLOWED;
|
| + Profile* primary_user_profile =
|
| + ProfileHelper::Get()->GetProfileByUser(primary_user);
|
|
|
| - // Don't allow profiles potentially tainted by data fetched with policy-pushed
|
| - // certificates to join a multiprofile session.
|
| - if (policy::PolicyCertServiceFactory::UsedPolicyCertificates(user_email))
|
| - return SetUserAllowedReason(reason, NOT_ALLOWED_POLICY_CERT_TAINTED);
|
| + std::string primary_user_email = primary_user->email();
|
|
|
| // Don't allow any secondary profiles if the primary profile is tainted.
|
| if (policy::PolicyCertServiceFactory::UsedPolicyCertificates(
|
| @@ -118,31 +107,57 @@ bool MultiProfileUserController::IsUserAllowedInSession(
|
| // Check directly in local_state before checking if the primary user has
|
| // a PolicyCertService. His profile may have been tainted previously though
|
| // he didn't get a PolicyCertService created for this session.
|
| - return SetUserAllowedReason(reason,
|
| - NOT_ALLOWED_PRIMARY_POLICY_CERT_TAINTED);
|
| + return NOT_ALLOWED_PRIMARY_POLICY_CERT_TAINTED;
|
| }
|
|
|
| // If the primary profile already has policy certificates installed but hasn't
|
| // used them yet then it can become tainted at any time during this session;
|
| // disable secondary profiles in this case too.
|
| - Profile* primary_user_profile =
|
| - primary_user ? ProfileHelper::Get()->GetProfileByUser(primary_user)
|
| - : NULL;
|
| policy::PolicyCertService* service =
|
| primary_user_profile ? policy::PolicyCertServiceFactory::GetForProfile(
|
| primary_user_profile)
|
| : NULL;
|
| if (service && service->has_policy_certificates())
|
| - return SetUserAllowedReason(reason,
|
| - NOT_ALLOWED_PRIMARY_POLICY_CERT_TAINTED);
|
| + return NOT_ALLOWED_PRIMARY_POLICY_CERT_TAINTED;
|
|
|
| // No user is allowed if the primary user policy forbids it.
|
| const std::string primary_user_behavior =
|
| primary_user_profile->GetPrefs()->GetString(
|
| prefs::kMultiProfileUserBehavior);
|
| if (primary_user_behavior == kBehaviorNotAllowed)
|
| - return SetUserAllowedReason(reason,
|
| - NOT_ALLOWED_PRIMARY_USER_POLICY_FORBIDS);
|
| + return NOT_ALLOWED_PRIMARY_USER_POLICY_FORBIDS;
|
| +
|
| + return ALLOWED;
|
| +}
|
| +
|
| +bool MultiProfileUserController::IsUserAllowedInSession(
|
| + const std::string& user_email,
|
| + MultiProfileUserController::UserAllowedInSessionReason* reason) const {
|
| + UserManager* user_manager = UserManager::Get();
|
| + CHECK(user_manager);
|
| +
|
| + const user_manager::User* primary_user = user_manager->GetPrimaryUser();
|
| + std::string primary_user_email;
|
| + if (primary_user)
|
| + primary_user_email = primary_user->email();
|
| +
|
| + // Always allow if there is no primary user or user being checked is the
|
| + // primary user.
|
| + if (primary_user_email.empty() || primary_user_email == user_email)
|
| + return SetUserAllowedReason(reason, ALLOWED);
|
| +
|
| + // Owner is not allowed to be secondary user.
|
| + if (user_manager->GetOwnerEmail() == user_email)
|
| + return SetUserAllowedReason(reason, NOT_ALLOWED_OWNER_AS_SECONDARY);
|
| +
|
| + // Don't allow profiles potentially tainted by data fetched with policy-pushed
|
| + // certificates to join a multiprofile session.
|
| + if (policy::PolicyCertServiceFactory::UsedPolicyCertificates(user_email))
|
| + return SetUserAllowedReason(reason, NOT_ALLOWED_POLICY_CERT_TAINTED);
|
| +
|
| + UserAllowedInSessionReason primary_user_policy = GetPrimaryUserPolicy();
|
| + if (primary_user_policy != ALLOWED)
|
| + return SetUserAllowedReason(reason, primary_user_policy);
|
|
|
| // The user must have 'unrestricted' policy to be a secondary user.
|
| const std::string behavior = GetCachedValue(user_email);
|
|
|
Chromium Code Reviews
Issue 374853002:
Providing more information on why certain users can't be added to multi-profile (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master