Merge "Allow call addSharedAccountsFromParentUser with CREATE_USERS permission." into nyc-dev

1 files changed, 11 insertions, 1 deletions

diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java
index 0cf517274f30..f7bd04b08ede 100644
--- a/services/core/java/com/android/server/accounts/AccountManagerService.java
+++ b/services/core/java/com/android/server/accounts/AccountManagerService.java
@@ -3538,7 +3538,7 @@ public class AccountManagerService
 
     @Override
     public void addSharedAccountsFromParentUser(int parentUserId, int userId) {
-        checkManageUsersPermission("addSharedAccountsFromParentUser");
+        checkManageOrCreateUsersPermission("addSharedAccountsFromParentUser");
         Account[] accounts = getAccountsAsUser(null, parentUserId, mContext.getOpPackageName());
         for (Account account : accounts) {
             addSharedAccountAsUser(account, userId);
@@ -5092,6 +5092,16 @@ public class AccountManagerService
         }
     }
 
+    private static void checkManageOrCreateUsersPermission(String message) {
+        if (ActivityManager.checkComponentPermission(android.Manifest.permission.MANAGE_USERS,
+                Binder.getCallingUid(), -1, true) != PackageManager.PERMISSION_GRANTED &&
+                ActivityManager.checkComponentPermission(android.Manifest.permission.CREATE_USERS,
+                        Binder.getCallingUid(), -1, true) != PackageManager.PERMISSION_GRANTED) {
+            throw new SecurityException("You need MANAGE_USERS or CREATE_USERS permission to: "
+                    + message);
+        }
+    }
+
     private boolean hasExplicitlyGrantedPermission(Account account, String authTokenType,
             int callerUid) {
         if (callerUid == Process.SYSTEM_UID) {