Grant file access permissions for cached file paths to file browsers/handlers.

chrome/browser/chromeos/extensions/file_browser_private_api.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chromeos/extensions/file_browser_private_api.h"
 
 #include <utility>
 
 #include "base/base64.h"
 #include "base/bind.h"
@@ skipping 999 matching lines @@
                      this,
                      mount_type_str));
       break;
     }
   }
 #endif  // defined(OS_CHROMEOS)
 
   return true;
 }
 
+void AddMountFunction::GrantFilePermissionsToHost(const FilePath& path,
+                                                  int permissions) {
+  ChildProcessSecurityPolicy::GetInstance()->GrantPermissionsForFile(
+      render_view_host()->GetProcess()->GetID(), path, permissions);
+}
 
 void AddMountFunction::AddGDataMountPoint() {
   fileapi::ExternalFileSystemMountPointProvider* provider =
       BrowserContext::GetFileSystemContext(profile_)->external_provider();
   const FilePath mount_point = gdata::util::GetGDataMountPointPath();
   if (!provider || provider->HasMountPoint(mount_point))
     return;
 
   // Grant R/W permissions to gdata 'folder'. File API layer still
   // expects this to be satisfied.
-  ChildProcessSecurityPolicy::GetInstance()->GrantPermissionsForFile(
-      render_view_host()->GetProcess()->GetID(), mount_point,
-      file_handler_util::GetReadWritePermissions());
+  GrantFilePermissionsToHost(mount_point,
+                             file_handler_util::GetReadWritePermissions());
+
+  const gdata::GDataFileSystem* gdata_file_system =
+      gdata::GDataFileSystemFactory::GetForProfile(profile_);
+
+  // We check permissions for raw cache file paths only for read-only
+  // operations (when fileEntry.file() is called), so read only permissions
+  // should be sufficient for all cache paths. For the rest of supported
+  // operations the file access check is done for gdata/ paths.
+  GrantFilePermissionsToHost(gdata_file_system->GetGDataCacheTmpDirectory(),
+                             file_handler_util::GetReadOnlyPermissions());
+  GrantFilePermissionsToHost(gdata_file_system->GetGDataCachePinnedDirectory(),
+                             file_handler_util::GetReadOnlyPermissions());

[satorux1, 2012/03/22 22:28:29]

PinnedDirectory only contains symlinks, and the real files stay in
PersistentDirectory. shouldn't we grant permissions for the persistent
directory?

Please add GDataFileSystem::GetGDataCachePersistentDirectory() if needed.

[tonibarzic, 2012/03/22 23:38:20]

Yeah, my bad... that should have been Persistent..

 
   provider->AddRemoteMountPoint(mount_point,
                                 new gdata::GDataFileSystemProxy(profile_));
+  FilePath mount_point_virtual;
+  if (provider->GetVirtualPath(mount_point, &mount_point_virtual))
+    provider->GrantFileAccessToExtension(extension_id(), mount_point_virtual);
 }
 
 void AddMountFunction::RaiseGDataMountEvent(gdata::GDataErrorCode error) {
   chromeos::MountError error_code = error == gdata::HTTP_SUCCESS ?
       chromeos::MOUNT_ERROR_NONE : chromeos::MOUNT_ERROR_NOT_AUTHENTICATED;
   DiskMountManager::MountPointInfo mount_info(
       gdata::util::GetGDataMountPointPathAsString(),
       gdata::util::GetGDataMountPointPathAsString(),
       chromeos::MOUNT_TYPE_GDATA,
       chromeos::disks::MOUNT_CONDITION_NONE);
@@ skipping 795 matching lines @@
             source_url_.GetOrigin(),
             &file_url)) {
       result->SetString("fileUrl", file_url.spec());
     }
 
     responses->Append(result.release());
   }
   result_.reset(responses.release());
   SendResponse(true);
 }