Bug 1719908 - Require compose permission for all events/function, which access or alter the message content. r=mkmelin.

Differential Revision: https://phabricator.services.mozilla.com/D119543 --HG-- extra : amend_source : fc991d0404759d288189bf0e5a2713fa5618a519
2021-07-12 13:44:43 +03:00 · 2021-07-12 13:44:43 +03:00 · df7fe275dd
--- a/mail/components/extensions/schemas/compose.json
+++ b/mail/components/extensions/schemas/compose.json
@ -243,6 +243,9 @@
        "name": "onAttachmentAdded",
        "type": "function",
        "description": "Fired when an attachment is added to a message being composed.",
+        "permissions": [
+          "compose"
+        ],
        "parameters": [
          {
            "name": "tab",
@ -258,6 +261,9 @@
        "name": "onAttachmentRemoved",
        "type": "function",
        "description": "Fired when an attachment is removed from a message being composed.",
+        "permissions": [
+          "compose"
+        ],
        "parameters": [
          {
            "name": "tab",
@ -465,6 +471,9 @@
        "name": "listAttachments",
        "type": "function",
        "description": "Lists all of the attachments of the message being composed in the specified tab.",
+        "permissions": [
+          "compose"
+        ],
        "async": true,
        "parameters": [
          {
@ -477,6 +486,9 @@
        "name": "addAttachment",
        "type": "function",
        "description": "Adds an attachment to the message being composed in the specified tab.",
+        "permissions": [
+          "compose"
+        ],
        "async": true,
        "parameters": [
          {
@ -505,6 +517,9 @@
        "name": "updateAttachment",
        "type": "function",
        "description": "Renames and/or replaces the contents of an attachment to the message being composed in the specified tab.",
+        "permissions": [
+          "compose"
+        ],
        "async": true,
        "parameters": [
          {
@ -538,6 +553,9 @@
        "name": "removeAttachment",
        "type": "function",
        "description": "Removes an attachment from the message being composed in the specified tab.",
+        "permissions": [
+          "compose"
+        ],
        "async": true,
        "parameters": [
          {
--- a/mail/components/extensions/test/browser/browser_ext_compose_attachments.js
+++ b/mail/components/extensions/test/browser/browser_ext_compose_attachments.js
@ -232,3 +232,65 @@ add_task(async function() {
  await extension.awaitFinish("finished");
  await extension.unload();
 });
+
+add_task(async function test_without_permission() {
+  let files = {
+    "background.js": async () => {
+      // Try to use onAttachmentAdded.
+      await browser.test.assertThrows(
+        () => browser.compose.onAttachmentAdded.addListener(),
+        `can't access property "addListener", browser.compose.onAttachmentAdded is undefined`,
+        "Should reject listener without proper permission"
+      );
+
+      // Try to use onAttachmentRemoved.
+      await browser.test.assertThrows(
+        () => browser.compose.onAttachmentRemoved.addListener(),
+        `can't access property "addListener", browser.compose.onAttachmentRemoved is undefined`,
+        "Should reject listener without proper permission"
+      );
+
+      // Try to use listAttachments.
+      await browser.test.assertThrows(
+        () => browser.compose.listAttachments(),
+        `browser.compose.listAttachments is not a function`,
+        "Should reject function without proper permission"
+      );
+
+      // Try to use addAttachment.
+      await browser.test.assertThrows(
+        () => browser.compose.addAttachment(),
+        `browser.compose.addAttachment is not a function`,
+        "Should reject function without proper permission"
+      );
+
+      // Try to use updateAttachment.
+      await browser.test.assertThrows(
+        () => browser.compose.updateAttachment(),
+        `browser.compose.updateAttachment is not a function`,
+        "Should reject function without proper permission"
+      );
+
+      // Try to use removeAttachment.
+      await browser.test.assertThrows(
+        () => browser.compose.removeAttachment(),
+        `browser.compose.removeAttachment is not a function`,
+        "Should reject function without proper permission"
+      );
+
+      browser.test.notifyPass("finished");
+    },
+    "utils.js": await getUtilsJS(),
+  };
+  let extension = ExtensionTestUtils.loadExtension({
+    files,
+    manifest: {
+      background: { scripts: ["utils.js", "background.js"] },
+      permissions: [],
+    },
+  });
+
+  await extension.startup();
+  await extension.awaitFinish("finished");
+  await extension.unload();
+});
--- a/mail/components/extensions/test/browser/browser_ext_compose_begin.js
+++ b/mail/components/extensions/test/browser/browser_ext_compose_begin.js
@ -948,7 +948,7 @@ add_task(async function testAttachments() {
      browser.test.notifyPass();
    },
    manifest: {
-      permissions: ["accountsRead", "messagesRead"],
+      permissions: ["compose", "accountsRead", "messagesRead"],
    },
  });