So I've just implemented a widget for my app. It gets its data from the database through my ContentProvider
. I define my own read/write-permissions in my manifest, state that I use them (doesn't seem to make a difference), and require them in the content provider:
<!-- Define my permissions for the provider -->
<permission
android:name="com.nononsenseapps.notepad.permissions.read"
android:description="@string/permission_read_desc"
android:label="@string/permission_read_label"
android:permissionGroup="android.permission-group.PERSONAL_INFO"
android:protectionLevel="normal" />
<permission
android:name="com.nononsenseapps.notepad.permissions.write"
android:description="@string/permission_write_desc"
android:label="@string/permission_write_label"
android:permissionGroup="android.permission-group.PERSONAL_INFO"
android:protectionLevel="normal" />
......
<uses-permission android:name="com.nononsenseapps.notepad.permissions.read" />
<uses-permission android:name="com.nononsenseapps.notepad.permissions.write" />
<uses-permission android:name="android.permission.BIND_REMOTEVIEWS" />
......
<provider
android:name=".NotePadProvider"
android:authorities="com.nononsenseapps.NotePad"
android:enabled="true"
android:exported="true"
android:label="@string/app_name"
android:readPermission="com.nononsenseapps.notepad.permissions.read"
android:syncable="true"
android:writePermission="com.nononsenseapps.notepad.permissions.write" >
<grant-uri-permission android:pathPattern=".*" />
</provider>
I update my widget through a Service
(as per the widget tutorial):
<!-- List Widget -->
<receiver android:name="com.nononsenseapps.notepad.widget.ListWidgetProvider" >
<intent-filter>
<action android:name="android.appwidget.action.APPWIDGET_UPDATE" />
</intent-filter>
<meta-data
android:name="android.appwidget.provider"
android:resource="@xml/listwidgetinfo" />
</receiver>
<service
android:name="com.nononsenseapps.notepad.widget.ListWidgetService"
android:exported="false"
android:permission="android.permission.BIND_REMOTEVIEWS" />
And that Service
in turn does this (with a bunch of code not included):
/**
* This is the service that provides the factory to be bound to the collection
* service.
*/
public class ListWidgetService extends RemoteViewsService {
@Override
public RemoteViewsFactory onGetViewFactory(Intent intent) {
return new StackRemoteViewsFactory(this.getApplicationContext(), intent);
}
}
/**
* This is the factory that will provide data to the collection widget.
*/
class StackRemoteViewsFactory implements RemoteViewsService.RemoteViewsFactory {
public StackRemoteViewsFactory(Context context, Intent intent) {
mContext = context;
observer = new ListChecker(null);
mAppWidgetId = intent.getIntExtra(AppWidgetManager.EXTRA_APPWIDGET_ID,
AppWidgetManager.INVALID_APPWIDGET_ID);
}
public void onDataSetChanged() {
Log.d(TAG, "onDataSetChanged");
// Refresh the cursor
if (mCursor != null) {
mCursor.close();
}
// Get widget settings
SharedPreferences settings = mContext.getSharedPreferences(
ListWidgetConfigure.getSharedPrefsFile(mAppWidgetId),
mContext.MODE_PRIVATE);
if (settings != null) {
String listWhere = settings.getString(ListWidgetConfigure.LIST_WHERE, null);
listId = settings.getLong(ListWidgetConfigure.LIST_ID, -1);
String sortOn = settings.getString(ListWidgetConfigure.SORT_ON, NotePad.Notes.ALPHABETIC_ASC_ORDER);
mCursor = mContext.getContentResolver().query(
NotePadProvider.CONTENT_VISIBLE_URI, PROJECTION, listWhere, null,
sortOn);
}
}
}
So here's the problem: when I add the widget to the homescreen, a SecurityException
is immediately thrown inside the onDataSetChanged()
method when I try to query the provider. This appears to be because the homescreen does not hold the permission to read my content provider. My intuition was that it would not be a problem since my own app has the permission, and the service is obviously a part of my app.
Everything works beautifully if I remove the ReadPermission requirement from the provider. But that seems like a security problem because then any app can access the provider without the user having to approve anything.
So is there a way to use a provider with a ReadPermission with a widget? Or are you forced to use an unsecured exported provider?