Do not allow DPM.resetPassword() when child profile exists or user is locked
Bug: 28878708 Change-Id: Iaae2a9ba9c7c0ff388264c474c78a0dcd9fec258
This commit is contained in:
Ricky Wai
@@ -2191,7 +2191,8 @@ public class DevicePolicyManager {
|
||||
* <em>Note: This API has been limited as of {@link android.os.Build.VERSION_CODES#N} for
|
||||
* device admins that are not device owner and not profile owner.
|
||||
* The password can now only be changed if there is currently no password set. Device owner
|
||||
* and profile owner can still do this.</em>
|
||||
* and profile owner can still do this when user is unlocked and does not have a managed
|
||||
* profile.</em>
|
||||
* <p>
|
||||
* The given password must be sufficient for the current password quality and length constraints
|
||||
* as returned by {@link #getPasswordQuality(ComponentName)} and
|
||||
@@ -2217,6 +2218,7 @@ public class DevicePolicyManager {
|
||||
* current constraints or if the user has not been decrypted yet.
|
||||
* @throws SecurityException if the calling application does not own an active administrator
|
||||
* that uses {@link DeviceAdminInfo#USES_POLICY_RESET_PASSWORD}
|
||||
* @throws IllegalStateException if the calling user is locked or has a managed profile.
|
||||
*/
|
||||
public boolean resetPassword(String password, int flags) {
|
||||
throwIfParentInstance("resetPassword");
|
||||
|
||||
@@ -3810,14 +3810,13 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
|
||||
// If caller has PO (or DO) it can change the password, so see if that's the case first.
|
||||
ActiveAdmin admin = getActiveAdminWithPolicyForUidLocked(
|
||||
null, DeviceAdminInfo.USES_POLICY_PROFILE_OWNER, callingUid);
|
||||
final boolean preN = getTargetSdk(admin.info.getPackageName(),
|
||||
userHandle) <= android.os.Build.VERSION_CODES.M;
|
||||
if (admin == null) {
|
||||
// Otherwise, make sure the caller has any active admin with the right policy.
|
||||
admin = getActiveAdminForCallerLocked(null,
|
||||
DeviceAdminInfo.USES_POLICY_RESET_PASSWORD);
|
||||
|
||||
final boolean preN = getTargetSdk(admin.info.getPackageName(), userHandle)
|
||||
<= android.os.Build.VERSION_CODES.M;
|
||||
|
||||
// As of N, password resetting to empty/null is not allowed anymore.
|
||||
// TODO Should we allow DO/PO to set an empty password?
|
||||
if (TextUtils.isEmpty(password)) {
|
||||
@@ -3838,6 +3837,30 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
|
||||
}
|
||||
}
|
||||
}
|
||||
// Do not allow to reset password when current user has a managed profile
|
||||
if (!isManagedProfile(userHandle)) {
|
||||
for (UserInfo userInfo : mUserManager.getProfiles(userHandle)) {
|
||||
if (userInfo.isManagedProfile()) {
|
||||
if (!preN) {
|
||||
throw new IllegalStateException(
|
||||
"Cannot reset password on user has managed profile");
|
||||
} else {
|
||||
Slog.e(LOG_TAG, "Cannot reset password on user has managed profile");
|
||||
return false;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
// Do not allow to reset password when user is locked
|
||||
if (!mUserManager.isUserUnlocked(userHandle)) {
|
||||
if (!preN) {
|
||||
throw new IllegalStateException("Cannot reset password when user is locked");
|
||||
} else {
|
||||
Slog.e(LOG_TAG, "Cannot reset password when user is locked");
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
quality = getPasswordQuality(null, userHandle, /* parent */ false);
|
||||
if (quality == DevicePolicyManager.PASSWORD_QUALITY_MANAGED) {
|
||||
quality = DevicePolicyManager.PASSWORD_QUALITY_UNSPECIFIED;
|
||||
|
||||
Reference in New Issue
Block a user