Closed Bug 1227011 Opened 9 years ago Closed 7 years ago

No prompt for creating/reading contact on Privileged App

Categories

(Firefox OS Graveyard :: Gaia::System, defect, P1)

Product:
Firefox OS Graveyard
Component:
Gaia::System
Platform:
ARM
Gonk (Firefox OS)
Type:
defect

Tracking

(blocking-b2g:2.5+, b2g-v2.1 affected, b2g-v2.2 affected, b2g-v2.5 ?, b2g-master affected)

Status:
RESOLVED WONTFIX
Project Flags:
blocking-b2g 2.5+
Tracking Flags:
Tracking Status
b2g-v2.1 --- affected
b2g-v2.2 --- affected
b2g-v2.5 --- ?
b2g-master --- affected

People

(Reporter: atsai, Unassigned)

References

Details

Attachments

(4 files)

Arieskk.3gp
(deleted), video/3gpp
Details
logcat_0427.txt
(deleted), text/plain
Details
Flamekk_v2.2_user.3gp
(deleted), video/3gpp
Details
Flamekk_v2.2_eng.3gp
(deleted), video/3gpp
Details 
Description:
While a privileged app tries to read/write contacts, there should be a prompt to user to ask for permission.

Test Environment:
*. You'll need a engineer build or install ui-test-privileged app manually
app: https://github.com/mozilla-b2g/gaia/tree/master/dev_apps/uitest-privileged

STR:
1. Launch UI-Test-Privileged App
2. Click "Contacts"
3. Select "Insert fake contacts"
4. Approve the prompt and start to install contacts

Expected Result:
3. A prompt for user to decide to insert contacts or not

Actual Result:
3. no prompt. start to insert contacts immediately

We should get it fix because it impacts user privacy.

https://developer.mozilla.org/en-US/Apps/Build/App_permissions
Set it as a P1 critical issue since we should get this fix as soon as possible.
Severity: normal → critical
Priority: -- → P1
Keywords: regressionwindow-wanted
This issue is present in 2.1[1] and 2.2[2]. Due to bug 1223956, I couldn't get the latest builds. 

However, we had a test[3] that led to a false positive (more details in bug 1219695 comment 2). The test landed back in 1.3 and it already forced the prompt to be displayed. I'm afraid we might have this issue since 1.3. My Buri is dead, so I can't check 1.3 or 1.2. Removing regressionwindow-wanted and adding QAwanted until we find out which branches are affected or not. 

:KTucker, do you have the resources to check 2.0 Flame, 1.4 Flame, 1.3 Buri and 1.2 Buri?

Also, this problem is likely a security hole => Restricting it to Mozilla's employees and cc'd contractors.


[1] Build ID               20150724001207
Gaia Revision          9dba58d18006e921546cec62c76074ce81e16518
Gaia Date              2015-07-23 12:36:57
Gecko Revision         https://hg.mozilla.org/releases/mozilla-b2g34_v2_1/rev/41e10c6740be
Gecko Version          34.0
Device Name            flame
Firmware(Release)      4.4.2
Firmware(Incremental)  eng.cltbld.20150724.035246
Firmware Date          Fri Jul 24 03:52:57 EDT 2015
Bootloader             L1TC000118D0


[2] Build ID               20150810032504
Gaia Revision          102f1299e9eafe3760e1deb44d556b5c4f36b5af
Gaia Date              2015-08-06 20:46:56
Gecko Revision         https://hg.mozilla.org/releases/mozilla-b2g37_v2_2/rev/da29b5af4232
Gecko Version          37.0
Device Name            flame
Firmware(Release)      4.4.2
Firmware(Incremental)  eng.cltbld.20150810.065425
Firmware Date          Mon Aug 10 06:54:37 EDT 2015
Bootloader             L1TC000118D0

[3] https://github.com/mozilla-b2g/gaia/tree/master/tests/python/gaia-ui-tests/gaiatest/tests/functional/system/test_privileged_app_contacts_prompt.py
Group: mozilla-employee-confidential
status-b2g-v2.1: --- → affected
status-b2g-v2.2: --- → affected
Keywords: regressionwindow-wantedqawanted
I just tried a real privilege app[1], it did ask me the rights to access my contacts. I wonder if that's not just the "UI tests - Privileged" app that behaves like a certified one? What do you think, Al? 

[1] https://marketplace.firefox.com/app/contact?src=search
Flags: needinfo?(atsai)
Keywords: qawanted
Could be. I don't have any idea about the root cause. ni? Ken to see if we can have some resources to dig in.
Group: mozilla-employee-confidential
Flags: needinfo?(atsai)
Flags: needinfo?(kchang)
Hi Paul,
  Do you know if we have any change in permission check after 2.1?
Flags: needinfo?(kchang) → needinfo?(ptheriault)
Hi, Norry,

Can you assign a tester to do branch check?
Please use apps ([1] and [2]) to do a branch check on Aries user build.
Thank you.

[1] https://github.com/mozilla-b2g/gaia/tree/master/dev_apps/uitest-privileged (Install it via web IDE)
[2] https://marketplace.firefox.com/app/contact?src=search (Short URL: https://goo.gl/sNxm11)
Flags: needinfo?(fan.luo)
Hi Verson,

Could you have a check according to comment 6? thanks.
Flags: needinfo?(xiongfuchao)
Attached video Arieskk.3gp (deleted) — 
I can't use apps ([1] and [2]) to reproduce this issue on latest AriesKK v2.5 dogfood build & v2.6 user build by STR in comment 0.
Actually result:3. A prompt for user to decide to insert contacts or not.
Reproduce rate: 0/10
See Arieskk.3gp

Device: Aries KK v2.6 user(Unaffected)
Build ID               20151126173500
Gaia Revision          86959c405348d27ba5686956ae3a8ffc274d3db8
Gaia Date              2015-11-26 06:53:43
Gecko Revision         https://hg.mozilla.org/mozilla-central/rev/74c7941a9e22d50057800771ebae07f69deecc9f
Gecko Version          45.0a1
Device Name            aries
Firmware(Release)      4.4.2
Firmware(Incremental)  eng.worker.20151126.165407
Firmware Date          Thu Nov 26 16:54:15 UTC 2015
Bootloader             s1

Device:Aries KK v2.5 dogfood (Unaffected)
Build ID               20151126113601
Gaia Revision          34ccc2c8f17b87a1fab95a4186b0019ec78c7f75
Gaia Date              2015-11-26 09:44:10
Gecko Revision         http://hg.mozilla.org/releases/mozilla-b2g44_v2_5/rev/fbaba398bd98fd1837ef2fd7c13ed8ee69640cfb
Gecko Version          44.0a2
Device Name            aries
Firmware(Release)      4.4.2
Firmware(Incremental)  eng.worker.20151126.104443
Firmware Date          Thu Nov 26 10:44:51 UTC 2015
Bootloader             s1
Flags: needinfo?(xiongfuchao)
QA Whiteboard: [MGSEI-Triage+]
status-b2g-v2.5: --- → affected
status-b2g-master: --- → affected
Hi William,

According to comment 8, this bug can't be repro on v2.5 and master.
Flags: needinfo?(whsu)
Flags: needinfo?(fan.luo)
(In reply to Verson Xiong from comment #8) 
> I can't use apps ([1] and [2]) to reproduce this issue on latest AriesKK
> v2.5 dogfood build & v2.6 user build by STR in comment 0.

This app is only present in engineering builds:
* Master: https://tools.taskcluster.net/index/artifacts/#gecko.v2.mozilla-central.latest.b2g/gecko.v2.mozilla-central.latest.b2g.aries-eng-opt
* 2.5: https://tools.taskcluster.net/index/artifacts/#gecko.v2.mozilla-b2g44_v2_5.latest.b2g/gecko.v2.mozilla-b2g44_v2_5.latest.b2g.aries-eng-opt
status-b2g-v2.5: unaffected?
status-b2g-master: unaffected?
Flags: needinfo?(whsu)
Based on bug 1219695 comment 1
status-b2g-master: ?affected
(In reply to Johan Lorenzo [:jlorenzo] (QA) from comment #10)
> (In reply to Verson Xiong from comment #8) 
> > I can't use apps ([1] and [2]) to reproduce this issue on latest AriesKK
> > v2.5 dogfood build & v2.6 user build by STR in comment 0.
> 
> This app is only present in engineering builds:

You can clone the app and install it on user build by using WEB IDE.
If the app installs by using webIDE, the warning/prompt message popped up when user import contacts (as comment 8 mentioned). So, it seems to me that we need to figure out the root cause to see if it associates with certified app (As comment 3 mentioned).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Hi, Norry,

Could you assign a tester to do the same test on 2.2 branch?
I would like to compare the behavior of pre-installation and post-installation.
Please don't change the status flag because this is cross-comparison.
Flags: needinfo?(fan.luo)
Attached file logcat_0427.txt (deleted) — 
Hi willam,
I do the same test on lastest Flame v2.2 user & eng build,but I can't use apps [1](post-installation) and [2] to reproduce this issue,a overlay always popup to prompt user to decide to insert contacts or not.
Btw,when I use pre-installation one to test,I get same results as comment 0 ,no prompt will appear,please see Flamekk_v2.2_eng.3gp & logcat_eng_0427.txt
Reproduce rate: 0/10

See Flamekk_v2.2_user.3gp,Flamekk_v2.2_eng.3gp,logcat_eng_0427.txt
Device: FlameKK v2.2 user(post-installation -> Unaffected)
Build ID               20151130032503
Gaia Revision          885647d92208fb67574ced44004ab2f29d23cb45
Gaia Date              2015-10-07 13:05:24
Gecko Revision         https://hg.mozilla.org/releases/mozilla-b2g37_v2_2/rev/4381c4b69b9c
Gecko Version          37.0
Device Name            flame
Firmware(Release)      4.4.2
Firmware(Incremental)  eng.cltbld.20151130.071422
Firmware Date          Mon Nov 30 07:14:34 EST 2015
Bootloader             L1TC000118D0

Device:FlameKK v2.2 eng (post-installation -> Unaffected)(pre-installation -> Affected)
Build ID               20151130032503
Gaia Revision          885647d92208fb67574ced44004ab2f29d23cb45
Gaia Date              2015-10-07 13:05:24
Gecko Revision         https://hg.mozilla.org/releases/mozilla-b2g37_v2_2/rev/4381c4b69b9c
Gecko Version          37.0
Device Name            flame
Firmware(Release)      4.4.2
Firmware(Incremental)  eng.cltbld.20151130.085015
Firmware Date          Mon Nov 30 08:50:27 EST 2015
Bootloader             L1TC000118D0
Flags: needinfo?(fan.luo)
Attached video Flamekk_v2.2_user.3gp (deleted) — 

  

  



    
    

    
  

      
      
      
      

        Attached video
          
        Flamekk_v2.2_eng.3gp (deleted)
        — 
      

    


  

  

  


Flags: needinfo?(whsu)

    
    

    
  
(In reply to Verson Xiong from comment #14)
> Created attachment 8693991 [details]
> logcat_0427.txt
> 
> Hi willam,
> I do the same test on lastest Flame v2.2 user & eng build,but I can't use
> apps [1](post-installation) and [2] to reproduce this issue,a overlay always
> popup to prompt user to decide to insert contacts or not.
> Btw,when I use pre-installation one to test,I get same results as comment 0
> ,no prompt will appear,please see Flamekk_v2.2_eng.3gp & logcat_eng_0427.txt
> Reproduce rate: 0/10
> 

It seems to me that the behavior of pre-installed app is different from post-installed app.
Thank you.

  

  


Flags: needinfo?(whsu)

    
    

    
  
(In reply to William Hsu [:whsu] from comment #17)
> It seems to me that the behavior of pre-installed app is different from
> post-installed app.
> Thank you.

I think this was done on purpose in bug 1014410.

  

  


Depends on: 1014410

    
    

    
  
(In reply to Ken Chang[:ken] from comment #5)
> Hi Paul,
>   Do you know if we have any change in permission check after 2.1?

There was no change, but mike is correct. Pre-installed privileged apps are granted the certified level of permissions. (which for contacts is allow, https://mxr.mozilla.org/mozilla-central/source/dom/apps/PermissionsTable.jsm#74)

  

  


Flags: needinfo?(ptheriault)

    
    

    
  
IE - the STR is invalid here, to test the 'real' behavior of privileged apps, you need to install that app, not pre-install it.

  

  



    
    

    
  
Firefox OS is not being worked on

  

  


Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WONTFIX

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: