Make sure to check write perms after rewriting destination table

The write-permission check must occur after any destination-table
rewriting, otherwise any application would be able to write to
any global setting, by supplying a fraudulent "system" namespace
in the uri, but with a key name that will be redirected to global.

Bug 7289965

Change-Id: I122098a64e40d14e00d3cb6608c50aeb74faf7ce

1 files changed, 3 insertions, 1 deletions

diff --git a/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java b/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java
index 1701f6e..76a5022 100644
--- a/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java
+++ b/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java
@@ -849,7 +849,6 @@ public class SettingsProvider extends ContentProvider {
         if (TABLE_FAVORITES.equals(args.table)) {
             return null;
         }
-        checkWritePermissions(args);
 
         // Special case LOCATION_PROVIDERS_ALLOWED.
         // Support enabling/disabling a single provider (using "+" or "-" prefix)
@@ -869,6 +868,9 @@ public class SettingsProvider extends ContentProvider {
             }
         }
 
+        // Check write permissions only after determining which table the insert will touch
+        checkWritePermissions(args);
+
         // The global table is stored under the owner, always
         if (TABLE_GLOBAL.equals(args.table)) {
             desiredUserHandle = UserHandle.USER_OWNER;