From 628ae0d84180c5f7c52725e02506021e532ed252 Mon Sep 17 00:00:00 2001
From: Robin Lee <rgl@google.com>
Date: Fri, 20 May 2016 14:53:48 +0100
Subject: Move VPN restriction check into setup dialog

The purpose of DISALLOW_CONFIG_VPN is to stop users from configuring
VPN, not from using it at all.

The key difference being that if the admin already enforced a VPN then
that setting should be respected (but it still shouldn't be tamperable).

Bug: 28733079
Change-Id: Ib8cab5657a9d5819a019093da3812cd8c2ca4050
---
 packages/VpnDialogs/src/com/android/vpndialogs/ConfirmDialog.java | 5 +++++
 services/core/java/com/android/server/connectivity/Vpn.java       | 3 +--
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/packages/VpnDialogs/src/com/android/vpndialogs/ConfirmDialog.java b/packages/VpnDialogs/src/com/android/vpndialogs/ConfirmDialog.java
index f0ca44162dad..badc31e6df92 100644
--- a/packages/VpnDialogs/src/com/android/vpndialogs/ConfirmDialog.java
+++ b/packages/VpnDialogs/src/com/android/vpndialogs/ConfirmDialog.java
@@ -25,6 +25,7 @@ import android.os.Bundle;
 import android.os.RemoteException;
 import android.os.ServiceManager;
 import android.os.UserHandle;
+import android.os.UserManager;
 import android.text.Html;
 import android.text.Html.ImageGetter;
 import android.util.Log;
@@ -55,6 +56,10 @@ public class ConfirmDialog extends AlertActivity
             finish();
             return;
         }
+        if (UserManager.get(this).hasUserRestriction(UserManager.DISALLOW_CONFIG_VPN)) {
+            finish();
+            return;
+        }
         View view = View.inflate(this, R.layout.confirm, null);
         ((TextView) view.findViewById(R.id.warning)).setText(
                 Html.fromHtml(getString(R.string.warning, getVpnLabel()),
diff --git a/services/core/java/com/android/server/connectivity/Vpn.java b/services/core/java/com/android/server/connectivity/Vpn.java
index 32b9429ae656..5ca66ae25bb6 100644
--- a/services/core/java/com/android/server/connectivity/Vpn.java
+++ b/services/core/java/com/android/server/connectivity/Vpn.java
@@ -555,8 +555,7 @@ public class Vpn {
         try {
             // Restricted users are not allowed to create VPNs, they are tied to Owner
             UserInfo user = mgr.getUserInfo(mUserHandle);
-            if (user.isRestricted() || mgr.hasUserRestriction(UserManager.DISALLOW_CONFIG_VPN,
-                    new UserHandle(mUserHandle))) {
+            if (user.isRestricted()) {
                 throw new SecurityException("Restricted users cannot establish VPNs");
             }
 
-- 
cgit v1.2.3-59-g8ed1b